SGC Connections May Fail from Domestic Clients

View products that this article applies to.

This article was previously published under Q249863

SYMPTOMS

Web clients may fail to connect to Web sites that use Server Gated Cryptography (SGC) for strong encryption when a secure connection is required. If either the Internet server or Web client is running Microsoft products, then the connection may fail. If the Internet server and Web client are both running Microsoft products, then no problem occurs.

Back to the top

CAUSE

This problem occurs in the security provider Schannel.dll file, which is used in Microsoft Internet Information Server (IIS) and Microsoft Internet Explorer, when you connect to a site that uses SGC to do high encryption, and the export cipher suite uses one hash algorithm and the domestic cipher suite uses another. In this situation, the Schannel.dll file occasionally selects the wrong algorithm, which results in a failed connection.

Back to the top

RESOLUTION

Windows 2000

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 (http://support.microsoft.com/kb/260910/EN-US/ ) How to Obtain the Latest Windows 2000 Service Pack

Back to the top

Windows NT 4.0

To resolve this problem, obtain the Windows NT 4.0 Security Rollup Package. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

299444 (http://support.microsoft.com/kb/299444/EN-US/ ) Post-Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP)

The English version of this fix should have the following file attributes or later:

   Date      Time                 Size    File name     Platform

   -------------------------------------------------------------
   01/26/2000  06:15p             154,384 Schannel.dll  NT x86 40bit
   01/26/2000  07:40p             267,536 Schannel.dll  NT Alpha 40bit
   01/26/2000  07:40p             123,664 Schannel.dll  NT x86 128bit
   01/26/2000  07:40p             226,576 Schannel.dll  NT Alpha 28bit

Back to the top

Microsoft Windows NT Server version 4.0, Terminal Server Edition

To resolve this problem, obtain the Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package (SRP). For additional information about the SRP, click the article number below to view the article in the Microsoft Knowledge Base:

317636 (http://support.microsoft.com/kb/317636/EN-US/ ) Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package

Back to the top

Windows 9x

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS (http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms)

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix should have the following file attributes or later:

   Date      Time      Size     File name     Platform
   -------------------------------------------------------
   01/26/2000  03:15p  154,384  Schannel.dll  Win95 40bit
   01/26/2000  04:40p  123,664  Schannel.dll  Win95 128bit
   01/26/2000  03:15p  154,384  Schannel.dll  Win98 40bit
   01/26/2000  04:40p  123,664  Schannel.dll  Win98 128bit

Back to the top

STATUS

Windows 2000

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Windows 2000. This problem was first corrected in Windows 2000 Service Pack 1.

Back to the top

Windows NT 4.0

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Windows NT 4.0.

Back to the top

Windows 9x

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Windows 95, Windows 98, and Windows 98 Second Edition.

Back to the top

MORE INFORMATION

This fix should be applied based on the following scenarios:

If the server is running IIS and the clients are not running Microsoft Internet Explorer, then apply the Microsoft Windows NT patch on the server.
If the server is running Microsoft Personal Web Server (PWS) for Windows 95 or 98 and the clients are not running Microsoft Internet Explorer, then apply the appropriate Microsoft Windows 95 or 98 patch on the PWS computer.
If the server is not running IIS or PWS and the client is running Microsoft Internet Explorer, then apply the appropriate Microsoft Windows NT, Microsoft Windows 95, or Microsoft Windows 98 patch on the client.

Note: If the Internet server and Web client are Microsoft products, then there is no issue. In most Windows 95 and Windows 98 cases, Windows is used as a client, and the fix should be applied on the client side.

Back to the top