Help and Support

Netscape users cannot access Web pages with 128-bit certificate authentication

View products that this article applies to.
Article ID:260266
Last Review:November 1, 2006
Revision:4.2
This article was previously published under Q260266

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx (http://www.microsoft.com/technet/security/prodtech/IIS.mspx)
On This Page

SYMPTOMS

You may not be able to gain access to Web pages after upgrading a 40-bit Secure Sockets Layer (SSL) certificate to a 128-bit SSL certificate (VeriSign). When you attempt to connect with a Netscape 40-bit browser, the following error message is displayed and no connection is made:
The security library has experienced an error. You will probably be unable to connect to this site securely.

Back to the top

CAUSE

The 128-bit VeriSign certificate is a Server Gated Cryptography (SGC) certificate; it causes secure connections between Netscape clients and Microsoft Internet Information Services (IIS) servers not to work. When the SGC renegotiation is performed, handshaking does not succeed.

Back to the top

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 (http://support.microsoft.com/kb/260910/) How to obtain the latest Windows 2000 service pack

Back to the top

Instructions for Installation

After you apply the hotfix and restart your computer, run the following command to provide 128-bit high encryption non-export support:
%systemroot%\system32\export\encinst
When you run this command, the command prompt returns with no message displayed. After you restart your computer, the hotfixes for Crypt32.dll and Schannel.dll are installed.

Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was first corrected in Windows 2000 Service Pack 1.

Back to the top

MORE INFORMATION

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 (http://support.microsoft.com/kb/249149/EN-US/) Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
The best way to determine if a certificate is an SGC certificate is to view the certificate by using the Certificates tool. In the Details pane, if the Enhanced Key Usages line contains one or both of the following entries, the certificate is SGC-enabled:
Unknown Key Usage(2.16.840.1.113730.4.1)
Unknown Key Usage(1.3.6.1.4.1.311.10.3.3)

Back to the top

APPLIES TO
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional Edition

Back to the top

Keywords: 
kbbug kbfix kbqfe kbwin2000sp1fix KB260266

Back to the top

Article Translations

 

Related Support Centers

Other Support Options

  • Contact Microsoft
    Phone Numbers, Support Options and Pricing, Online Help, and more.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.