Errors with client certificates occur after you install the MS04-011 security update on an IIS 5.0 computer

Article translations Article translations
Article ID: 841642 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

When you access a Web site that is set to require client certificates, you may receive the following HTTP error message, even if you are sure that the client certificate has not been revoked:
403.13 Client Certificate Revoked
You receive this error message when all the following conditions are true:
  • Your computer is running Microsoft Windows 2000 Service Pack 3.
  • You have applied MS04-011.
  • The version of the Infocomm.dll file is earlier than 5.0.2195.6709.
  • Your certificate chain includes an intermediate certification authority, and you are using certificates that do not have a Certificate Distribution Point (CDP) extension.
  • You are using a Certificate Revocation List (CRL) that has a critical Issuer Distribution Point (IDP) extension.

CAUSE

The problem occurs if you have applied MS04-011 and both the following conditions are true:
  • Your certificate chain includes an intermediate certification authority, and you are using certificates that do not have a Certificate Distribution Point (CDP) extension.
  • You are using a Certificate Revocation List (CRL) that has a critical Issuer Distribution Point (IDP) extension.
Internet Information Services (IIS) rejects the chain when the first condition is true because the certificate cannot be validated. If you have not applied MS04-011, the chain is trusted if both the first and the second conditions are true. However, if you have applied MS04-011, the chain fails because the revocation status is unknown.

RESOLUTION

To resolve this problem, install the May 2003 cumulative update for IIS. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
811114 MS03-018: May 2003 cumulative patch for Internet Information Services (IIS)

WORKAROUND

To work around this problem, use one of the following methods:
  • If you do not want revocation checking on the intermediate certification authority certificates, issue an empty Certificate Revocation List (CRL) that has a very long expiration period from the parent certification authority. Install the CRL in the local computer certificate store on the IIS computer.
  • Reissue the intermediate certification authority certificate. Make sure that all the following are true:
    • The certificate has a CDP extension with a working URL.
    • The new certificate has the same name and the same key as the certificate that it replaces.
    • The validity time for the notBefore component and notAfter component of the new certificate is newer than the validity time for these components on the original certificate.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Properties

Article ID: 841642 - Last Review: November 21, 2006 - Revision: 1.1
APPLIES TO
  • Microsoft Internet Information Services 5.0, when used with:
    • Microsoft Windows 2000 Service Pack 3
    • Microsoft Windows 2000 Service Pack 2
    • Microsoft Windows 2000 Service Pack 1
    • Microsoft Windows 2000 Standard Edition
Keywords: 
kbhttp kbwebserver kbprb kbwebservices KB841642

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com