Re: Problem with IIS5 - "expired" CRLs not working?

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 03/31/04


Date: Wed, 31 Mar 2004 05:25:31 -0800

yes, you run CAPIMON on the server. You don't see your client cert being
checked on the server by IIS?

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Ohaya" <ohaya@cox.net> wrote in message news:406A2419.7FB65A37@cox.net...
> Hi,
>
> Ok, I changed all the "ErrorAll" to "LogAll", and now the 1st 2 entries
> in the output are CertGetCertificate with "End Entity" being my server
> cert name.  Both of these have "Status" of "OK", with "Return" of
> "Success".  Then there are the alternating calls with other End Entity,
> etc., some of which have errors, and some of which succeed.
>
> I don't get any of the "Revocation" calls, either successful or failed.
>
> I'm not quite sure how much more info this gives?
>
> Jim
>
>
>
> Ohaya wrote:
> >
> > David,
> >
> > I think I've figured out basically how to use CAPIMON.
> >
> > With the default capimon_filter.inf, I did a connect from IE to IIS5
> > with a client certificate, but I am only getting a series of alternating
> > calls to CertGetCertificateChain and CertVerifyCertificateChainPolicy,
> > with the End Entity/Root Cert columns showing some of the built-in root
> > cert that come with Windows.  None of these have my root CA cert, and
> > none of the revocation-related calls are listed.
> >
> > I'm suppose to install CAPIMON on my IIS machine, right?  Not on the
> > client machine, right?
> >
> > CAPIMON seems to be a bit "picky".  After I do a "capimon -stop", seems
> > like I have to do a reboot before I do another "capimon -start".
> > Otherwise, capimon doesn't seem to record anything.
> >
> > Jim
> >
> > Ohaya wrote:
> > >
> > > David,
> > >
> > > I installed CAPIMON per your suggestion, last night, but I'm still
trying to
> > > figure out how to use it :).  It looks like it installs some kind of
"shim"
> > > in front of the CryptoAPI?  Sorry to ask, but what exactly do you
suggest I
> > > setup for the filters(?)?  I'm trudging my way through the docs...
> > >
> > > Jim
> > >
> > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > > news:uOIs6xlFEHA.3252@TK2MSFTNGP11.phx.gbl...
> > > > I am not an expert on IIS, but I would need some more information to
help
> > > > you troubleshoot the issue.  Can you install CAPIMON and shim IIS5
and
> > > > determine what error (or status) is being returned by CryptoAPI to
IIS?
> > > > That will help us determine if:
> > > >
> > > > 1) CryptoAPI is returning the right status to IIS
> > > >
> > > > 2)  Is IIS determining the right action based on this status
> > > >
> > > >
> > > >
> > >
http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en.
> > > >
> > > > --
> > > >
> > > >
> > > > David B. Cross [MS]
> > > >
> > > > --
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > >
> > > > http://support.microsoft.com
> > > >
> > > > "Ohaya" <Ohaya@NO_SPAM.cox.net> wrote in message
> > > > news:ep4er1bFEHA.2308@tk2msftngp13.phx.gbl...
> > > > > David,
> > > > >
> > > > > Just to be clear, with our config, with Win2K/IIS5, revocation
checking
> > > IS
> > > > > occurring.  I can revoke a cert, import the new CRL into the ICA,
and
> > > > voila,
> > > > > connecting using the revoked cert will fail with 403.13.
> > > > >
> > > > > Revocation checking, per se, is NOT the problem.
> > > > >
> > > > > The problem is that when the CRL in the ICA is expired, things
keep on
> > > > > working just as if the CRL was not expired.
> > > > >
> > > > > Jim
> > > > >
> > > > >
> > > > >
> > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > > > > news:ePPgdUZFEHA.3096@TK2MSFTNGP11.phx.gbl...
> > > > > > This may be a nuance with IIS 5.0, but many applications treat
no CDP
> > > in
> > > > > > certs as an indicator that revocation does not need to be
checked.
> > > > > >
> > > > > > Windows Server 2003 CryptoAPI is a little smarter in that even
if the
> > > > > > application allows the "no check" status to be interpreted as
"OK",
> > > > > > CryptoAPI can return a "bad" status if it finds a CRL in the CA
store.
> > > > > >
> > > > > > As per your reply:
> > > > > >
> > > > > > (again my client certs don't have CDP populated).
> > > > > >
> > > > > > --
> > > > > >
> > > > > >
> > > > > > David B. Cross [MS]
> > > > > >
> > > > > > --
> > > > > > This posting is provided "AS IS" with no warranties, and confers
no
> > > > > rights.
> > > > > >
> > > > > > http://support.microsoft.com
> > > > > >
> > > > > > "Ohaya" <ohaya@cox.net> wrote in message
> > > > news:4065F9AB.8B3395C1@cox.net...
> > > > > > > Hi,
> > > > > > >
> > > > > > > I just got done installing Windows 2003 (took me 3 tries :(),
and
> > > > IIS6,
> > > > > > > and in this clean, "out-of-the-box" configuration, I tested,
and,
> > > > > > > indeed, it appears that:
> > > > > > >
> > > > > > > 1) Win2K3 *DOES* obey the validity period in the CRLs (whereas
> > > Windows
> > > > > > > 2000 AS apparently does not).
> > > > > > >
> > > > > > > 2) Win2K3 *DOES* lock down the website if NO CRL is in the ICA
store
> > > > > > > (again my client certs don't have CDP populated).
> > > > > > >
> > > > > > > As with the earlier clean-install Win2K AS, this Win2K3
install was
> > > as
> > > > a
> > > > > > > standalone server (no AD and no Certificate Services).
> > > > > > >
> > > > > > > Re. #2 above, I need to add that initially, obviously, there
was not
> > > a
> > > > > > > CRL stored in the ICA, and in this initial configuration, IIS6
did
> > > > allow
> > > > > > > connections.
> > > > > > >
> > > > > > > I then did testing using CertMgr to add a CRL (to test the
validity
> > > > > > > period checking), and after that, I deleted the CRL from the
ICA.
> > > > > > >
> > > > > > > After I deleted the CRL from the ICA, IIS6 would not allow
> > > > connections.
> > > > > > >
> > > > > > > Jim
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Ohaya wrote:
> > > > > > > >
> > > > > > > > David,
> > > > > > > >
> > > > > > > > Thank goodness you're still here!!
> > > > > > > >
> > > > > > > > I'll check on CAPIMON and with the registry thing you
pointed to,
> > > > but
> > > > > > FYI,
> > > > > > > > I'm starting to come to the conclusion that this (and
another
> > > > problem)
> > > > > > are
> > > > > > > > Win2K AS-related (vs. Win2K3).  Let me try to explain...
> > > > > > > >
> > > > > > > > Late last year, when I first started testing, I started with
a
> > > > Win2K3
> > > > > > > > installation.  During that time, I began keeping a project
> > > notebook,
> > > > > > where I
> > > > > > > > commented on my test results (including a lot of the
conversations
> > > I
> > > > > had
> > > > > > > > here and on the inetserver.iis.security NG).  According to
my
> > > notes
> > > > at
> > > > > > that
> > > > > > > > time, I confirmed that Win2K3/IIS6 did a couple of things
(that
> > > were
> > > > > > good,
> > > > > > > > security-wise):
> > > > > > > >
> > > > > > > > - It obeyed the CRL validity period (Next Update date,
etc.), and
> > > > > > > > - If no CRL was in the ICA store (deleted from store using
> > > > CertMgr.exe
> > > > > > and
> > > > > > > > confirmed using the MMC Certificates snap-in), IIS6 would
not
> > > allow
> > > > > > > > connections at all for the website.
> > > > > > > >
> > > > > > > > As I continued testing, I eventually got a Win2K AS CD from
my
> > > > > company,
> > > > > > > > since what we were actually going to stand up were Win2K AS
> > > > machines.
> > > > > > > >
> > > > > > > > From my notes from that time, it appears that I did not go
back
> > > and
> > > > > > check
> > > > > > > > those 2 behaviors that I mentioned above related to CRL
> > > processing.
> > > > > > > >
> > > > > > > > I really should have noticed at least the first problem, a
LONG
> > > time
> > > > > > ago,
> > > > > > > > since the Next Update date on the test CRLs that I got was
January
> > > > 29,
> > > > > > 2004,
> > > > > > > > but very stupidly on my part, I didn't :(...
> > > > > > > >
> > > > > > > > In other words, we're using these same test CRLs in a couple
of
> > > > > > different
> > > > > > > > test labs (all running Win2K Server or Advanced Server), and
> > > they're
> > > > > ALL
> > > > > > > > still working, and I didn't even think about it.  Darn!!!
> > > > > > > >
> > > > > > > > Just recently, I started putting together a "Lessons
Learned"
> > > > document
> > > > > > for
> > > > > > > > my company, and actually for our partner community, and in
> > > beginning
> > > > > to
> > > > > > do
> > > > > > > > that, I started going back through my notes and trying to
> > > reproduce
> > > > > the
> > > > > > > > results that I had documented in my notes.
> > > > > > > >
> > > > > > > > And, that's when I started finding these
differences/problems.
> > > > > > > >
> > > > > > > > I am going to have to try to recreate my earlier Win2K3
> > > environment,
> > > > > but
> > > > > > > > I've already created a clean install of Win2K AS (SP4), and
with
> > > the
> > > > > > Win2K
> > > > > > > > AS, it is definitely working with the expired CRLs, and IIS5
> > > > > definitely
> > > > > > is
> > > > > > > > not shutting down websites that are SSL (client) secured
when I
> > > > delete
> > > > > > the
> > > > > > > > CRL from the ICA store.
> > > > > > > >
> > > > > > > > Once I get some time to rebuild a Win2K3 environment, I'll
try
> > > this
> > > > > > again,
> > > > > > > > but unless my (voluminous) notes are completely whacked, I
think
> > > > that
> > > > > > I'm
> > > > > > > > going to find that Win2K3 does obey the CRL expiration date
and
> > > does
> > > > > > lock
> > > > > > > > down the SSL (client) secured websites when I delete the CRL
from
> > > > the
> > > > > > ICA
> > > > > > > > store.
> > > > > > > >
> > > > > > > > Our policy and standard maintenance practices do call for
ensuring
> > > > > that
> > > > > > the
> > > > > > > > CRLs are both populated and updated, so hopefully this won't
be a
> > > > > > problem,
> > > > > > > > but if things turn out the way I'm alluding to above, these
2
> > > > problems
> > > > > > seem
> > > > > > > > like a kind of major problem in Win2K AS/IIS5?
> > > > > > > >
> > > > > > > > Will post back, but probably not immediately...
> > > > > > > >
> > > > > > > > Jim
> > > > > > > >
> > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in
message
> > > > > > > > news:u18e3pAFEHA.3096@TK2MSFTNGP11.phx.gbl...
> > > > > > > > > As an additional troubleshooting step, you can use CAPIMON
to
> > > > debug
> > > > > > > > exactly
> > > > > > > > > what IIS is doing and what information is being returned
by
> > > > > CryptoAPI
> > > > > > > > > through CAPIMON:
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > >
> > > > >
> > > >
> > >
http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en.
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > David B. Cross [MS]
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > This posting is provided "AS IS" with no warranties, and
confers
> > > > no
> > > > > > > > rights.
> > > > > > > > >
> > > > > > > > > http://support.microsoft.com
> > > > > > > > >
> > > > > > > > > "Ohaya" <ohaya@N_O_S_P_A_M_cox.net> wrote in message
> > > > > > > > > news:4064E434.1B258495@N_O_S_P_A_M_cox.net...
> > > > > > > > > > Hi,
> > > > > > > > > >
> > > > > > > > > > I have a new/clean Win2K Advanced Server installation
with
> > > IIS5.
> > > > > > This
> > > > > > > > > > machine is a standalone server, i.e., it is not a member
of a
> > > > > > domain,
> > > > > > > > > > and I've updated Win2K through SP4.
> > > > > > > > > >
> > > > > > > > > > The IIS5 website is configured for SSL with client and
server
> > > > > > > > > > authentication, and that part is working.  My server and
> > > client
> > > > > > certs
> > > > > > > > > > are issued by a 3rd party CA, and all the client certs
do not
> > > > have
> > > > > > the
> > > > > > > > > > CDP populated.
> > > > > > > > > >
> > > > > > > > > > For my testing earlier, my CA provided me with several
test
> > > > CRLs,
> > > > > > along
> > > > > > > > > > with associated client certs, and I've been using
CertMgr.exe
> > > to
> > > > > > import
> > > > > > > > > > the test CRLs into the Intermediate Certification
Authorities
> > > > > (ICA)
> > > > > > > > > > store during my testing.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > However, today I noticed that the test CRLs all have a
"Next
> > > > > Update"
> > > > > > > > > > date of 1/29/04, and since today is 3/26/04, I can't
> > > understand
> > > > > how
> > > > > > > > > > these CRLs could still be working.  It seems like they
should
> > > be
> > > > > > > > > > considered invalid and that since IIS5 is calling
CryptoAPI to
> > > > do
> > > > > > the
> > > > > > > > > > CRL checking, that I should be getting some kind of
error?
> > > > > > > > > >
> > > > > > > > > > I've checked the system date on the server, and it's
> > > definitely
> > > > > > correct
> > > > > > > > > > (today's date), so I'm really puzzled.  I really have
the
> > > > > impression
> > > > > > > > > > that CryptoAPI (and thus IIS5) would throw some kind of
error
> > > if
> > > > > the
> > > > > > CRL
> > > > > > > > > > was not within the validity period.
> > > > > > > > > >
> > > > > > > > > > Can someone explain why these out-of-validity-period
CRLs
> > > still
> > > > > seem
> > > > > > to
> > > > > > > > > > work all right?
> > > > > > > > > >
> > > > > > > > > > Thanks,
> > > > > > > > > > Jim
> > > > > > > > >
> > > > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >


Relevant Pages

  • RE: Certificate logon on Unix
    ... I don't know of any package but there is prolly one out there you should ... The good news is that getting fulle client ... and server side authentication is pretty easy so it will work as a quick ... setup your CA and make the root cert Pbk available to everyone. ...
    (Security-Basics)
  • Re: IIS website - only allow users with client cert from our CA. P
    ... Rootyou wish to permit certificates issued from for access to your site. ... our CA's client cert? ... I only have a server certificate from our CA ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS website - only allow users with client cert from our CA. Possi
    ... > Why does IIS allow me to see my website when it doesn't have ... > our CA's client cert? ... I only have a server certificate from our CA ...
    (microsoft.public.inetserver.iis.security)
  • Re: Sendmail [was OpenSSL]
    ... This is only the first time I've tried a secure email server. ... something very different then the client certificates as ipop3d.pem. ... FC2's cert dir within sendmail.mc is by default /etc/mail/certs. ... STARTTLS being active for PLAIN and LOGIN AUTH. ...
    (Fedora)
  • Re: IIS website - only allow users with client cert from our CA. Possi
    ... The server cert that you installed on ServerB is for server authentication. ... That would restrict access to those users who have client ... Once I got the server Certificate, I applied it to our Webserver ...
    (microsoft.public.inetserver.iis.security)