Re: IE6 and MS Certificate Services (standalone)

From: David Zazzo (dzazzo@ZAZZO.COM)
Date: 10/18/02

• Previous message: Louis Solomon [SteelBytes]: "IE turing off proxy settings ..."
• Maybe in reply to: Yawns Security: "IE6 and MS Certificate Services (standalone)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date:         Fri, 18 Oct 2002 09:10:13 -0700
From: David Zazzo <dzazzo@ZAZZO.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I had this exact problem - I've got a Windows 2000 system running with a
standalone CA, and you're right -- it would work from some of my
systems, but others (like my desktop box) it would hang indefinitely on
"Downloading ActiveX Control..."

I passed this off to our Premier Support folks, and they pointed me off
to the following Q article:

http://www.microsoft.com/technet/security/bulletin/MS02-048.asp
Flaw in Certificate Enrollment Control Could Allow Deletion of Digital
Certificates (Q323172)

It sounds like you have this applied to either your client or your
server, but not both. This hotfix updates the enrollment control - the
reason why you're hanging on the advanced cert page, is because there's
a version mismatch between either your server or your client. Updating
both with the appropriate hotfix from the above URL should resolve the
problem.

Hope this helps!

DZ

David Zazzo, MCSE - dzazzo@cac.washington.edu
Advanced Systems Technologies, Computing and Communications
University of Washington

Campus Box: 354843

-----Original Message-----
From: Yawns Security [mailto:security@YAWNS.COM]
Sent: Monday, October 07, 2002 7:16 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: IE6 and MS Certificate Services (standalone)
Importance: High

Issue: IE6 devices cannot create new Advanced Certificate requests via
form, as Active X component fails to download regardless of client
security settings.

Server :Win2000 Server (in workgroup) with MS Certificate Services
(standalone) regardless of service pack (although I have tested it with
Sp2 and Sp3) and Microsoft's unsupported public CA at

Client : Tested with - Win2K Sp3 & IE5 - OK
                                Win2K Sp3 & IE6 - Fails
                                WinXP Sp0 & IE6 - Fails
                                WinXP Sp1 & IE6 - Fails
                                WinXP Sp1 & IE6 Sp1 - Fails

Detail :
Attempting to use a local MS Cert Services CA instance for IPSEC/Server
certificate generation. 1)From a client browser browse
http://localCertServer/certsrv 2)Select 'Request a certificate', then
'Advanced Request' 3)Then 'Submit a cert req to this CA using a form'

A form is generated and a message displayed centrally saying
'Downloading ActiveX control' which I can only assume interrogates the
local CryptoAPI to work out what providers are available.

With older browsers the CSP field gets updated after the applet
installs, whereas IE6 never downloads.

The certificate server is within my local 'Local Intranet' zone and even
if the Security level is set to low, it still never works.

The problem has been reported to MS PSS and an incident raised, however
I was wondering if anyone had come up with a workaround.

---

• Previous message: Louis Solomon [SteelBytes]: "IE turing off proxy settings ..."
• Maybe in reply to: Yawns Security: "IE6 and MS Certificate Services (standalone)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Web Certificate for IIS Server on SBS Domain ... Before your reply, I actually ran across rapidssl myself, and have ordered and installed the free 30-day certificate on my site. ... I explained what you'd told me about putting my existing configuration at risk by installing Cert Services, and he said he didn't know that. ... Again, if you're just needing a cert to install on your web server to provide SSL connectivity for remote users, go with an external third-party provider. ... When you add Certificate Services on an internal network, lots of internal communications will start using pieces provided by the Cert Server instead of the defaults from Server 2003, and when things blow up, they can blow up gloriously. ... (microsoft.public.windows.server.sbs) Re: Questions ... deployment tool and certificate services. ... we do have more convenient means to create server /client certificate ... (microsoft.public.dotnet.framework.webservices) Re: Web Certificate for IIS Server on SBS Domain ... Again, if you're just needing a cert to install on your web server to provide SSL connectivity for remote users, go with an external third-party provider. ... When you add Certificate Services on an internal network, lots of internal communications will start using pieces provided by the Cert Server instead of the defaults from Server 2003, and when things blow up, they can blow up gloriously. ... (microsoft.public.windows.server.sbs) Re: Web Certificate for IIS Server on SBS Domain ... I'm now setting up a web application on a new IIS server on my domain and I want to secure all connections with a self-issued certificate, since I want to give my users access to it across the internet. ... Will installing Certificate Services mess up my existing configuration in any way? ... (microsoft.public.windows.server.sbs) Re: how to make https ... Well I have setup the CA on the same server. ... The CA is standalone because my server is not in my ... Now can i increase the validity of my certificate or I will ... (microsoft.public.windows.server.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)