Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
HTTPS connections fail and SSL Bindings are deleted for a website in Internet Information Services (IIS) 7.0 and 7.5
Article ID: 2025598 - View products that this article applies to.
Consider the following scenario. You have a web application running on Internet Information Services (IIS) 7.0 or higher that is configured with an SSL binding. Intermittently, connections to the website over HTTPS fail. Users can still access the site over HTTP, unless the site is configured to require SSL connections. When the problem occurs, users trying to browse to the website over HTTPS may see warning messages stating that the SSL certificate has expired or is not yet valid, or that the website name is incorrect. If a site administrator opens the IIS Manager to view the site's SSL settings, they may find that the SSL bindings for the website have been deleted, or have been replaced with invalid certificate binding information. Finally, an event similar to the following is logged in the System event log:
The SSL binding for the website has been deleted and not replaced, or has been deleted and replaced with invalid certificate info. The problem occurs because of a legacy SSL certificate hash property interfering with the current SSL binding, resulting in the correct binding being deleted.
Locate the following property in the <CustomMetaData> section of the applicationHost.config file, and delete it:
This property is a legacy feature from Internet Information Services (IIS) 6.0 and is no longer needed.
The 5506 custom property was used in IIS 6.0 to store a SSL certificate hash. When an application or service which depends upon the ABO mapper in IIS 7.0 or IIS 7.5 attempts to start, it tries to initialize the ABO tree structure, which includes generating custom nodes and properties. During this process it reads from the <CustomMetaData> section and tries to map the properties in the ABO tree structure. During mapping it deletes the current SSL bindings in HTTP.SYS and recreates a new binding using the above legacy hash value. If this value is invalid, it fails to add the new SSL binding in HTTP.sys. This will result in the website not having a valid IP:Port combination corresponding to the SSL binding in HTTP.sys. With a blank or invalid SSL binding, HTTPS connections to the website fail.
Steps to reproduce:
The issue can be reproduced by adding the following under the <CustomMetadata> section of the applicationhost.config file:
After this is done, launching any application which requires the ABO Mapper, such as launching the IIS Manager (Inetmgr6.exe) or enumerating the metabase using ADSUTIL.vbs will result in the problem described in this article.
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.