DOCUMENT:Q184055 30-APR-1999 [iis] TITLE :IIS: Certificate Security Affected By Schannel.dll PRODUCT :Internet Information Server PROD/VER:WINNT:3.0 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Server 3.0 ------------------------------------------------------------------------------- SYMPTOMS ======== When you install a Certificate on a computer running Microsoft Internet Information Server, there will be no indication of an error. However, HTTPS access will not be possible. Turning off the "Require secure channel SSL" option in the Microsoft Internet Service Manager and stopping and restarting the service enables access through HTTP. CAUSE ===== The security strength of the Schannel.dll file on the computer where the key request was generated does not match the security strength of the server upon which the certificate is installed. RESOLUTION ========== Match the security strength of the Schannel.dll file on the requesting computer with the security strength of the Schannel.dll file on the server that will be using the generated Certificate. To do this, perform the following steps: 1. Open Windows NT Explorer on the computer creating the request file. 2. Go to the \System32 subdirectory. 3. Highlight the file and open the properties page. If the file is not found, check the Options in the Tool menu and ensure that the View All Files option is checked. 4. Click the Version tab of the SCHANNEL.DLL properties page. Security strength is easiest defined by the description. If the description references "(Export)" then the DLL is the 40 bit encryption version. If the description references "(US and Canada" then the DLL is the 128 bit encryption version. (Note: The missing right bracket on the US and Canada version is not a typographical error.) Although it is possible to generate a functional key request from a computer other than the one on which it will be used, requesting the certificate from the computer that will eventually use the key will avoid security mismatches. ====================================================================== Keywords : Technology : kbiisSearch kbiis300 Version : WINNT:3.0 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 1999.