PRB: Invalid Certificates Cause RDS Problems

ID: Q193096

The information in this article applies to:

Remote Data Service for ADO versions 1.5, 2.0
Microsoft Visual Basic Professional and Enterprise Editions for Windows, versions 5.0, 6.0

SYMPTOMS

NOTE: This article assumes that you are familiar with Remote Data Services (RDS) Visual Basic and Secured Sockets Layer (SSL).

When using Visual Basic and RDS to retrieve data from an SSL Web site, the following errors may appear:

Internet Client Error.

-or-

Internet Server Error.

The same code may run on a non-SSL Web site or through a SSL Web site using Internet Explorer.

CAUSE

An Invalid SSL Certificate, or the certificate causes this problem. Authority is unknown or not trusted.

Internet Explorer 4.0 passes this problem by displaying the following message to the user:

The Certificate Issuer for this site is untrusted or unknown. Do you wish to proceed?

If the user selects Yes, RDS functions normally. If the user selects No, the page does not load.

Visual Basic does not expose this user interface. Because of this, RDS assumes the connection is not secure and will not allow information to be exchanged. This behavior may also be seen in other languages and implementations such as VBScript and JSscript through ADO or Access 97 and so on.

This default behavior cannot be changed.

RESOLUTION

Make sure that the server certificate is valid and the certificate authority is on the list of accepted certificate authorities.

If you are running Internet Explorer 4.0, you may use the following method to verify your certificate authorities.

To check if the certificate authority is trusted, on the Control Panel, select Internet Options. Click the Content tab, and then select Authorities. If your particular Certificate Authority is not listed, you need to obtain and install a valid Site Certificate. Your Certificate Authority should issue this to you. If you do not have this, nor have any means of getting this, you cannot use RDS through Visual Basic. You can still use RDS through Internet Explorer; however every time you visit the SSL Web site, you will be prompted that the certificate authority is not valid, but you will not be allowed to continue.

Setting your security to Low (in Internet Options) will not prevent the error from occurring.

If you can visit the Web page without being prompted with any dialog boxes, Visual Basic should be able to make a secure RDS connection.

STATUS

This behavior is by design.

MORE INFORMATION

Steps to Reproduce Behavior

Configure your Internet Information Server (IIS) Server for SSL. For instructions on how to do this, search for "Setting Up SSL on Your Server" in the IIS Help.

Remove the certificate authority that provided you with your valid SSL Certificate from the list of Certificate Authorities. If you are running Explorer 4.0, on the Control Panel, select Internet Options. Click the Content tab then select Authorities to find the Authority that issued your Certificate. Clear the Authority check box. Do not delete the authority. If your authority is not listed, then you must obtain and install the credentials from your authority. Your Certificate Authority can provide you with documentation and on how this is done.

If you want to install Microsoft Certificate Server as your Certificate Authority, please follow the instructions closely because missing one step causes errors. Pay special attention to the "Certificate Authority Certificate List Web Page."

Use your Web browser to view any secured Web page on your Web site. A warning message should appear stating that the Web browser cannot verify this site. You may continue by selecting Yes.

Create a Visual Basic program that creates an RDS connection to your Web server. You may use the following code as a template:


      Option Explicit

      Private Sub Form_Load()

      Dim DataSpace As Object
      Dim DataFactory As Object
      Dim SecuredDataFactory As Object

      Dim rsData As Object

      Set DataSpace = CreateObject("RDS.DataSpace")

      Set DataFactory = DataSpace.CreateObject _
          ("RDSServer.DataFactory", "<LINK TYPE="GENERIC" VALUE="http://localhost")">http://localhost")</LINK>

      'This should work when the client certificate is
      'installed and running.
      Set SecuredDataFactory = DataSpace.CreateObject _
          ("RDSServer.DataFactory", "https://localhost")

      'The DSN should have been installed by MDAC.
      'It is a DSN pointing to the Northwind database.
          Set rsData = DataFactory.Query _
          ("DSN=AdvWorks", "SELECT * FROM ORDERS")

      Set rsData = SecuredDataFactory.Query _
          ("DSN=AdvWorks", "SELECT * FROM ORDERS")

      End Sub

Run the following program. The DataFactory query should work. The SecuredDataFactory query should not work. It should return the following error:

Internet Client Error.

-or-

Internet Server Error.

Now add the Certificate Authority Client Certificate. If the certificate is already installed, on the Control Panelselect Internet Options. Click the Content tab and then select Authorities to locate the certificate. Make sure the certificate is selected. If the certificate is not installed, run the certificate file given to you by the certificate authority. You can do this by locating the file in Explorer. Select the file to execute it. It should install automatically. If you are using Microsoft Certificate Server as the certificate authority, you may go to the following location to install your certificate:
http://localhost/CertSrv/CertEnroll/cacerts.htm

Run the program in Step 4 again. The program should now execute without the error.

REFERENCES

For additional information about Installing Certificates, please see the following article(s) in the Microsoft Knowledge Base:

Q171084 How to Install a Certificate

Additional query words: kbRDS kbVBp600 kbRDS150 kbRDS200 kbSecurity kbInternet kbDatabase


Keywords          : kbDatabase kbInternet kbRDS kbRDS150 kbRDS200 kbSecurity kbVBp600 
Version           : WINDOWS:1.5,2.0,5.0,6.0
Platform          : WINDOWS 
Issue type        : kbprb

Last Reviewed: August 8, 1999