Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Description of the changes to network retrieval of PKI objects in Windows Vista Service Pack 1 and in Windows Server 2008
Article ID: 946401 - View products that this article applies to.
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
During certificate path validation, Windows Vista Service Pack 1 (SP1) and Windows Server 2008 may retrieve objects such as certificates and certificate revocation lists (CRLs) from the network. Windows Vista SP1 and Windows Server 2008 support this network retrieval functionality by using the FILE protocol, the HTTP protocol, and the LDAP protocol.
By default, the FILE protocol for network retrieval of public key infrastructure (PKI) objects is disabled to improve security during the network retrieval process. Additionally, the network retrieval process that uses the LDAP protocol or the HTTP protocol is modified in Windows Vista SP1 and in Windows Server 2008. For more information about these changes, see the “More Information” section.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Note Certificate authorities can still use Universal Naming Convention (UNC) paths to publish CRLs to network locations. This may be useful if the network locations are shared as web server virtual directories, which provide access to CRLs over HTTP.
Changes in the network retrieval process that uses the FILE protocolBy default, the network retrieval process that uses the FILE protocol is disabled for certificate operations. If you want to enable this feature, follow these steps:
Changes in the network retrieval process that uses the LDAP protocolBy default, the PKI client in Windows Vista SP1 and in Windows Server 2008 signs and encrypts all LDAP traffic for PKI objects. Additionally, if authentication is required only for network retrieval, Kerberos authentication is performed. For testing, you may want to disable the functionality in Windows Vista SP1 and in Windows Server 2008 that signs and encrypts LDAP traffic. To do this, follow these steps:
Changes in the network retrieval process that uses the HTTP protocolIn the PKI client in Windows Vista SP1 and in Windows Server 2008, the network retrieval process that uses the HTTP protocol performs authentication only for the proxies that are locally configured. Whether authentication is performed depends on the error message that is returned from the proxy. If the proxy returns the following error message, authentication is performed:
If the proxy returns the following error message, authentication is not performed:
HTTP 407: Proxy Authentication required
Note If proxy authentication is required, both Kerberos authentication and NTLM authentication will be performed.
HTTP 401: Access Denied
If you want to change this default behavior, follow these steps: