RE: OWA, IIS and SSL

From: Emily Blum (eblum@tmfutures.com)
Date: 01/13/03 

From: "Emily Blum" <eblum@tmfutures.com>
Date: Mon, 13 Jan 2003 07:56:38 -0800

I've come across another error on the client side. I
uninstalled and reinstalled Cert Server and started the
process over again.

Now when I try to download the certificate (after
inserting the text to the browscap.ini file) after filling
out the form I receive:
You have submitted an empty string.... it references a
PKCS10 begin generated on the machine.

I am working from two different browsers, IE5.5 and IE6
(incidentally, when using IE6 a dialog box asking to
select browser type, which does NOT include IE5.5 or 6,
appears before the Certificate Enrollment Form box appears.

Thank you.

Emily Blum
>-----Original Message-----
>Edgar,
>Thank you for the information. That did help my problem
>with downloading a client certificate. However, when I
>attempted to log in to OWA using the https: URL I
received
>the standard error of The page could not be displayed,
>check your internet settings.
>
>When trying to access OWA without the "s" I received the
>error that https was required so I presume my server side
>is set up correctly.
>
>What is wrong on the client side? If indeed this is
where
>the problem is.
>
>Thanks.
>
>Emily
>
>>-----Original Message-----
>>Emily,
>>
>>SYMPTOMS
>>========
>>When a client computer that is running Microsoft
Internet
>Explorer attempts
>>to enroll for a certificate against a Windows NT 4.0
>version 1
>>Certification Authority (CA), the client may be unable
to
>enroll, or the
>>enrollment process may not support the expected advanced
>options.
>>
>>
>>CAUSE
>>=====
>>This problem occurs because the Windows NT 4.0 CA does
>not recognize the
>>latest versions of Internet Explorer; thus, the expected
>functionality is
>>not present for these clients.
>>
>>
>>RESOLUTION
>>==========
>>To resolve this problem, edit the Browscap.ini file on
>the Windows NT 4.0
>>CA to add browser recognition for the latest versions of
>Internet Explorer.
>>To do so, add the following information to the
>Browscap.ini, which is
>>located in the %SystemRoot%\System32\Inetsrv folder on
>the server.
>>
>>NOTE: This sample contains Internet Explorer 5, 5.<x>,
>and 6.
>>
>>
>>
>>
>> ;;ie 5.0
>> [IE 5.0]
>> browser=IE
>> Version=5.0
>> majorver=#5
>> minorver=#0
>> frames=TRUE
>> tables=TRUE
>> cookies=TRUE
>> backgroundsounds=TRUE
>> vbscript=TRUE
>> javascript=TRUE
>> javaapplets=True
>> ActiveXControls=TRUE
>> Win16=False
>> beta=False
>> AK=False
>> SK=False
>> AOL=False
>>
>> ;;ie 5.x
>> [Mozilla/4.0 (compatible; MSIE 5.*; Windows NT)]
>> parent=IE 5.0
>> version=5.0
>> minorver=0
>> platform=WinNT
>>
>> ; Default Browser
>> [*]
>> browser=Default
>> frames=FALSE
>> tables=TRUE
>> cookies=FALSE
>> backgroundsounds=FALSE
>> vbscript=FALSE
>> javascript=FALSE
>>
>> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; IE 6.0
>> [IE 6.0]
>> browser=IE
>> Version=6.0
>> majorver=6
>> minorver=0
>> frames=True
>> tables=True
>> cookies=True
>> backgroundsounds=True
>> vbscript=True
>> javaapplets=True
>> javascript=True
>> ActiveXControls=True
>> Win16=False
>> beta=True
>> AK=False
>> SK=False
>> AOL=False
>> Update=False
>>
>> [Mozilla/4.0 (compatible; MSIE 6.*; Windows 95*)]
>> parent=IE 6.0
>> platform=Win95
>> beta=True
>>
>> [Mozilla/4.0 (compatible; MSIE 6.*; Windows 98*)]
>> parent=IE 6.0
>> platform=Win98
>> beta=True
>>
>> [Mozilla/4.0 (compatible; MSIE 6.*; Windows NT*)]
>> parent=IE 6.0
>> platform=WinNT
>> beta=True
>>
>> [Mozilla/4.0 (compatible; MSIE 6.*)]
>> parent=IE 6.0
>>
>>
>>STATUS
>>======
>>
>>Microsoft has confirmed that this is a problem in the
>Microsoft products
>>that are listed at the beginning of this article.
>>
>>MORE INFORMATION
>>================
>>
>>
>>The Browscap.ini file works with the browser components
>that are included
>>with Microsoft Internet Information Server (IIS) 4.0.
>This component checks
>>the version of the browser to measure its capabilities.
>If the Browscap.ini
>>does not contain the client's browser, functionality of
>that browser may be
>>limited. Earlier versions of this file do not contain
the
>latest versions
>>of Internet Explorer. Windows NT 4.0 Service Packs may
>update this file,
>>but to support Internet Explorer 6, you have to manually
>update the
>>Browscap.ini file.
>>
>>Thank You
>>Edgar Yanez
>>DSM IIS Support
>>
>>This posting is provided "AS IS" with no warranties, and
>confers no rights.
>>You assume all risk for your use. © 2001 Microsoft
>Corporation. All rights
>>reserved.
>>Please do not send email directly to this alias. This is
>our online account
>>name for newsgroup participation only.
>>
>>--------------------
>>| Content-Class: urn:content-classes:message
>>| From: "Emily Blum" <eblum@tmfutures.com>
>>| Sender: "Emily Blum" <eblum@tmfutures.com>
>>| References: <07a101c2a7a9$8d3900b0
>$89f82ecf@TK2MSFTNGXA01>
>><$fHuJYmqCHA.1232@cpmsftngxa09>
>><053501c2aa85$33206ad0$d2f82ecf@TK2MSFTNGXA09>
>><YAhbv2wqCHA.2248@cpmsftngxa09>
>>| Subject: RE: OWA, IIS and SSL
>>| Date: Fri, 27 Dec 2002 10:28:15 -0800
>>
>>| Yes, I am using client certificates. This is where
the
>>| error occurs. When I try to open the certificate I
get
>an
>>| error message "error '800a01ce'"
>>| /CertSrv/CertEnroll/kgaccept.asp, line 21
>>| I'm not sure how to research this error.
>>| Thanks.
>>| Emily Blum
>>| >-----Original Message-----
>>| >Are you using client certificates for your SSL
>>| connections? If so, when
>>| >given a choice to open or save the cert, go ahead and
>>| open it. Run the
>>| >installation wizard to install the client cert then
>try
>>| your connection
>>| >again.
>>| >
>>| >Sincerely,
>>| >
>>| >Tim Greene MCSE, MCSA, MCP+I
>>| >IIS Newsgroup Support
>>| >
>>| >Please do not send email directly to this alias. This
>is
>>| our online account
>>| >name for newsgroup participation only.
>>| >
>>| >If you would like to open a support incident with
>>| Microsoft, call
>>| >1-800-936-5800
>>| >
>>| >This posting is provided "AS IS" with no warranties,
>and
>>| confers no rights.
>>| >You assume all risk for your use. © 2001 Microsoft
>>| Corporation.
>>| >
>>| >.
>>| >
>>|
>>
>>
>>
>>.
>>
>.
>

Relevant Pages

  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDP client authentication fails
    ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSL & Man In the Middle Attack
    ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
    (comp.security.misc)
  • Re: activesync issue
    ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
    (microsoft.public.windows.server.sbs)
  • [Full-disclosure] VMSA-2006-0010 - SSL sessions not authenticated by VC Clients
    ... X.509 certificate when creating an SSL session, ... Both the client and server need certificates from a mutually-trusted ... VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch ...
    (Full-Disclosure)