Description of the changes to network retrieval of PKI objects in Windows Vista Service Pack 1 and in Windows Server 2008

Article ID: 946401 - View products that this article applies to.
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756
(http://support.microsoft.com/kb/322756/ )
How to back up and restore the registry in Windows
Expand all | Collapse all

On This Page

Summary

During certificate path validation, Windows Vista Service Pack 1 (SP1) and Windows Server 2008 may retrieve objects such as certificates and certificate revocation lists (CRLs) from the network. Windows Vista SP1 and Windows Server 2008 support this network retrieval functionality by using the FILE protocol, the HTTP protocol, and the LDAP protocol.

By default, the FILE protocol for network retrieval of public key infrastructure (PKI) objects is disabled to improve security during the network retrieval process. Additionally, the network retrieval process that uses the LDAP protocol or the HTTP protocol is modified in Windows Vista SP1 and in Windows Server 2008. For more information about these changes, see the “More Information” section.
Back to the top | Give Feedback

More information

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Note Certificate authorities can still use Universal Naming Convention (UNC) paths to publish CRLs to network locations. This may be useful if the network locations are shared as web server virtual directories, which provide access to CRLs over HTTP.

Changes in the network retrieval process that uses the FILE protocol

By default, the network retrieval process that uses the FILE protocol is disabled for certificate operations. If you want to enable this feature, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following registry subkey, and then click it:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
    Note For 32-bit applications on 64-bit platforms, locate the following registry subkey, and then click it:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
  3. Right-click Config, point to New, and then click DWORD Value.
  4. Type AllowFileUrlScheme, and then press ENTER.
  5. Right-click AllowFileUrlScheme, and then click Modify.
  6. In the Value Data box, type 0x01, and then click OK.
  7. On the File menu, click Exit.
This setting reverts the computer to the behavior of Windows XP Service Pack 2 (SP2), of Windows Server 2003 SP1, and of the release version of Windows Vista.

Changes in the network retrieval process that uses the LDAP protocol

By default, the PKI client in Windows Vista SP1 and in Windows Server 2008 signs and encrypts all LDAP traffic for PKI objects. Additionally, if authentication is required only for network retrieval, Kerberos authentication is performed. For testing, you may want to disable the functionality in Windows Vista SP1 and in Windows Server 2008 that signs and encrypts LDAP traffic. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following registry subkey, and then click it:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
    Note For 32-bit applications on 64-bit platforms, locate the following registry subkey, and then click it:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
  3. Right-click Config, point to New, and then click DWORD Value.
  4. Type DisableLDAPSignAndEncrypt, and then press ENTER.
  5. Right-click DisableLDAPSignAndEncrypt, and then click Modify.
  6. In the Value Data box, type 0x01, and then click OK.
  7. On the File menu, click Exit.
After you apply this setting, either NTLM credentials or Kerberos credentials are used for authentication. Additionally, the Sign flag and the Encrypt flag are not set in the LDAP requests. This setting reverts the computer to the behavior of Windows XP SP2, of Windows Server 2003 SP1, and of the release version of Windows Vista.

Changes in the network retrieval process that uses the HTTP protocol

In the PKI client in Windows Vista SP1 and in Windows Server 2008, the network retrieval process that uses the HTTP protocol performs authentication only for the proxies that are locally configured. Whether authentication is performed depends on the error message that is returned from the proxy. If the proxy returns the following error message, authentication is performed:
HTTP 407: Proxy Authentication required
If the proxy returns the following error message, authentication is not performed:
HTTP 401: Access Denied
Note If proxy authentication is required, both Kerberos authentication and NTLM authentication will be performed.

If you want to change this default behavior, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following registry subkey, and then click it:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config

    Note For 32-bit applications on 64-bit platforms, locate the following registry subkey, and then click it:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
  3. Right-click Config, point to New, and then click DWORD Value.
  4. Type EnableInetUnknownAuth, and then press ENTER.
  5. Right-click EnableInetUnknownAuth, and then click Modify.
  6. In the Value Data box, type 0x01, and then click OK.
  7. On the File menu, click Exit.
After you apply this setting, authentication is now performed when the proxy returns an "HTTP 401" error message. This setting reverts the computer to the behavior of Windows XP SP2, of Windows Server 2003 SP1, and of the release version of Windows Vista.
Back to the top | Give Feedback

Properties

Article ID: 946401 - Last Review: March 15, 2013 - Revision: 1.0
Applies to
  • Windows Vista Service Pack 1
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
Keywords: 
kbexpertiseinter kbhowto kbinfo KB946401
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top