Netscape users cannot access Web pages with 128-bit certificate authentication

This article was previously published under Q260266
This article has been archived. It is offered "as is" and will no longer be updated.

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
You may not be able to gain access to Web pages after upgrading a 40-bit Secure Sockets Layer (SSL) certificate to a 128-bit SSL certificate (VeriSign). When you attempt to connect with a Netscape 40-bit browser, the following error message is displayed and no connection is made:
The security library has experienced an error. You will probably be unable to connect to this site securely.
The 128-bit VeriSign certificate is a Server Gated Cryptography (SGC) certificate; it causes secure connections between Netscape clients and Microsoft Internet Information Services (IIS) servers not to work. When the SGC renegotiation is performed, handshaking does not succeed.
To resolve this problem, obtain the latest service pack for Windows 2000. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack

Instructions for Installation

After you apply the hotfix and restart your computer, run the following command to provide 128-bit high encryption non-export support:
When you run this command, the command prompt returns with no message displayed. After you restart your computer, the hotfixes for Crypt32.dll and Schannel.dll are installed.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was first corrected in Windows 2000 Service Pack 1.
More information
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
The best way to determine if a certificate is an SGC certificate is to view the certificate by using the Certificates tool. In the Details pane, if the Enhanced Key Usages line contains one or both of the following entries, the certificate is SGC-enabled:
Unknown Key Usage(2.16.840.1.113730.4.1)
Unknown Key Usage(

Article ID: 260266 - Last Review: 10/26/2013 13:44:00 - Revision: 5.0

Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Professional Edition

  • kbnosurvey kbarchive kbbug kbfix kbqfe kbwin2000sp1fix KB260266