[SDP 3][6bb4d9d8-cc45-4bab-b2bc-f795214ecd92] IIS SSL Diagnostic

Summary

The IIS SSL Diagnostic tool for Support Diagnostic Platform (SDP) is designed to troubleshoot SSL issues on IIS and it collections information used for troubleshooting common SSL issues. This diagnostic also allows the user to capture a ETW trace log for the IIS and SCHANNEL providers

More Information

This article describes the information that may be collected from a machine when running the IIS SSL Diagnostic on a computer that is experiencing issues while browsing to web sites running over SSL.

 

Information Collected

Operating System
Description
Machine Name
OS Name
Build
Time Zone/Offset
Last Reboot/Uptime
User Account Control
Username


Computer System
Description
Computer Model
Processor(s)
Machine Domain
Role
RAM (physical)


Certutil Output
DescriptionFile Name
This file will contain the output of running the certutil –verifystore command on the thumbprint of certificate assigned to each binding on the web site{Computername}_CERTUTIL_VERFIYSTORE_CERT(n).TXT
This file contains dumps the CRL URL cache of the OS (obtained by running the command certutil –urlcache CRL){Computername}_CERTUTIL_CRL_CACHE.TXT


Event Log Files
DescriptionFile Name
Application Event Log{Computername}_evt_Application.evtx
System Event Log{Computername}_evt_System.evtx
Security Event Log{Computername}_evt_Security.evtx


IISConfiguration
DescriptionFile Name
IIS/ASP.NET Configuration Files{Computername}_IISConfiguration.zip


IIS Log Files
DescriptionFile Name
If during execution the option to collect ETW traces is selected then this file will contain the ETW trace which enables various IIS and SCHANNEL providers{Computername}_IISSSLETWLOGFILES.zip


IIS-SSL Related Registry Setting
DescriptionFile Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP{Computername}_REG_SERVICES_HTTP.TXT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL{Computername}_REG_SCHANNEL.TXT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults{Computername}_REG_CRYPTOGRAPHY.TXT


Installed updates/hotfixes
DescriptionFile Name
Update/Hotfix history{Computername}_Hotfixes.CSV
Update/Hotfix history{Computername}_Hotfixes.htm
Update/Hotfix history{Computername}_Hotfixes.TXT


Networking Information
DescriptionFile Name
TCP/IP Basic Information{Computername}_TcpIp-Info.txt
SMB Basic Information{Computername}_SMB-Info.txt


SSL Settings Report
DescriptionFile Name
This file contains information about various metabase settings that are relevant for troubleshooting SSL issues e.g. AccessSSLFlags, AccessSSL, AccessSSLNegotiateCert, AccessSSLRequireCert, IIS Client Certificate Mapping, AD Client Certificate authentication.

It also lists down the status of IIS services and provides details of each secure binding configured on the web site showing the details of the certificate bound to it.

Also if any of the SSL related protocols is disabled on the server, this file will contain information about those

If the policy for changing the Order of Cipher Suites, then the order specified will also be shown in this file.                                    
{Computername}_SSLReport.htm


Virtualization Information
DescriptionFile Name
Machine Virtualization Information in HTM format{Computername}_Virtualization.htm
Machine Virtualization Information in TXT format{Computername}_Virtualization.txt


Additional Information

If the user selects to collect an IIS ETW Log, the Diagnostic will enable IIS ETW Trace named “IIS ETW SDP Trace”.   The Diagnostic will automatically stop this trace when the user is clicks next while the trace is running.   If the user clicks Cancel, they should stop the trace with the following command from an Administrative command prompt

Logman.exe stop "IIS ETW SDP Trace" -ets
In addition to the collected information that is listed in these tables, this troubleshooter can detect one or more of the following situations:
  • IIS related Services in a running state or not
  • Whether the site contains a SSL Binding or not
  • Whether HTTP.SYS is listening on the SSL Binding port or if the port is occupied by another executable
  • Whether the web site has a certificate assigned to the secure binding
  • Whether the web site is in a started state or not
  • If Active Directory client certificate authentication is enabled and if the DsMapperUsage setting on the binding matches that of the site.
  • If Active Directory client certificate authentication is enabled but on the web site we don’t require\accept the client certificates.
  • Permissions on the machine keys folder
  • Whether the binding format specified in the web site bindings is correct or not
  • If IP inclusion list is configured on the server and if the IP address configured on the website binding is not present in the IP inclusion list.
  • Whether the type of certificate is correct or not (i.e. Intended Purposes says Server Authentication)
  • If the certificate is Archived
  • If the certificate is missing the private key
  • Incorrect Key-Spec (i.e. if the certificate has any other KEYSPEC defined other than AT_EXCHANGE)
  • If the certificate has subject alternate name, an information message is shown
  • If the certificate has subject alternate name then all the bindings of other web sites are checked to see if they match the binding and port combination or not and if they do, then we match whether the binding has the same certificate or not and that the host headers don’t match
    If the certificate has wildcard, an information message is shown
  • If the certificate has wildcard then all the bindings of other web sites are checked to see if they match the binding and port combination or not and if they do, then we match whether the binding has the same certificate or not and that the host headers don’t match
  • Whether the validation of the server certificate succeeds.
  • Checks if the certificate is expired.
  • Whether any of the SSL protocols are disabled on the server.
  • Whether the order of cipher suites has been changed on the server.
  • Check if any of the keys of the certificate have length less than 1024 bits.
  • If MS12-006 is installed on the machine 
References                                                                                                                           

KB 973559 - Frequently asked questions about the Microsoft Support Diagnostic Tool (MSDT) for Windows 7
http://support.microsoft.com/kb/973559

Propiedades

Id. de artículo: 2753695 - Última revisión: 13 sept. 2012 - Revisión: 1

Comentarios