IIS: Cannot Create a 128-bit SSL Session with IIS

Article translations Article translations
Article ID: 300398
This article was previously published under Q300398
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx
For more information about IIS 7.0, visit the following Microsoft Web site:
http://www.iis.net/default.aspx?tabid=1
Expand all | Collapse all

Symptoms

You install a 128-bit high encryption certificate onto Internet Information Server (IIS) version 4.0 or 5.0, then browse with a 128-bit enabled Web browser to IIS by using https://. However, the Web browser only makes a 40-bit or 56-bit Secure Sockets Layer (SSL) session with IIS. If you open the Internet Services Manager and edit the Secure Communication property to Require 128-bit encryption, you may receive the following error message in the browser when you browse to IIS:
HTTP Error 403
403.5 Forbidden: SSL 128 required

This error message indicates that the resource you are trying to access is secured with a 128-bit version of Secure Sockets Layer (SSL). In order to view this resource, you need a browser that supports this level of SSL.

Please confirm that your browser supports 128-bit SSL security. If it does, then contact the Web server's administrator and report the problem.
You also receive the following message in the system event log on the IIS server:

Event Type: Error
Event Source: Schannel
Event ID: 36874
Description:
An SSL connection request was received from a remote client application, but none
of the cipher suites supported by the client application are supported by the
server. The SSL connection request has failed.

Cause

The server that is hosting IIS does not have the Windows High Encryption Pack installed. If the encryption level is not 128-bit, IIS cannot create a 128-bit SSL session.

Resolution

Update Microsoft Windows with the High Encryption pack.

NOTE: The Windows High Encryption Pack is the same as the Microsoft Internet Explorer High Encryption Pack.

Windows NT 4.0

The High Encryption Pack can be installed onto Windows NT 4.0 by updating to the High Encryption version of the latest Windows NT Service Pack. For additional information on how to obtain the latest service pack, click the article number below to view the article in the Microsoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack

More information

To verify the encryption level that is installed, open Microsoft Internet Explorer on the IIS server computer and click About Internet Explorer on the Help menu. In the About Internet Explorer dialog box, the encryption level is listed next to Cipher Strength.

Properties

Article ID: 300398 - Last Review: September 20, 2012 - Revision: 6.0
Keywords: 
kbpending kbprb KB300398

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com