Re: IIS 6.0 SSL Certificate Difficulties

From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 11/08/04 

Date: Mon, 8 Nov 2004 12:20:34 +0800

Now, that's something new !!
you can configure 'Bypass traverse checking' for IIS_WPG group. this is
default !
read -
Default permissions and user rights for IIS 6.0
http://support.microsoft.com/?id=812614 

-- 
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Bill Bean" <Bill Bean@discussions.microsoft.com> wrote in message
news:2BEF50B2-A019-4AC3-A494-E60C9EA3BACB@microsoft.com...
>
>
> "Bernard" wrote:
>
> > I haven't actually looking at Machinekeys folder when generating CSR.
> > that is just a plain text file with encrypted detail of your server
detail.
> >
> > have you actually repeat the export and import steps.
> > from the log it looks like many detail is missing, I would remove
> > the cert and redo again.
>
> No, we really do know how to create, import and apply certificates.  It
> turns out that the problem was that some account needs 'Bypass traverse
> checking' rights for this to work.  (I haven't figured out exactly which
one
> yet,  at the moment I have it down to one of the following:  SYSTEM,
SERVICE,
> LOCAL SERVICE, NETWORK SERVICE, IUSR..., IWAM...)
>
> It seems that changes between Windows 2000 Server and Windows 2003 Server
> have greatly increased the number of accounts that must be allowed to
bypass
> traverse checking.
>
> Bill Bean
>
> >
> > -- 
> > Regards,
> > Bernard Cheah
> > http://www.tryiis.com/
> > http://support.microsoft.com/
> > http://www.msmvps.com/bernard/
> >
> >
> >
> > "Bill Bean" <Bill Bean@discussions.microsoft.com> wrote in message
> > news:D0CB2E2F-3979-4702-9E75-EDC9EFB73A79@microsoft.com...
> > >
> > >
> > > "Bernard" wrote:
> > >
> > > > This is very clear that :
> > > > #WARNING: You DON'T have a private key that corresponds to this
> > certificate
> > > >
> > > > when you export it, do you export the private key as well ?
> > > >
> > > > remove this cert, re-export with private key and import again.
> > >
> > > We did export with the private key.  (We have done this before too :)
The
> > > diagnostic tool says that we DON'T have a private key but when we view
the
> > > certificate from the IIS Snap-in it says that "You have a private key
that
> > > corresponds to this certificate."  Same if we view the certificate
using
> > the
> > > Certificates Snap-in.
> > >
> > > Another symptom is that when we create the request on the 2003 server,
the
> > > certreq.txt file has a long string of A's in the middle.  When we
create
> > the
> > > request on another machine, it only has a short string of A's (maybe
five
> > or
> > > six).
> > >
> > > When we create the request a file is created in C:\Documents and
> > > Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys.
I
> > > thought that this was the private key?
> > >
> > > My guess - and it is just a guess - is that somehow the private key is
> > being
> > > created but that it is corrupt.
> > >
> > > Bill Bean
> > >
> > > >
> > > >
> > > > -- 
> > > > Regards,
> > > > Bernard Cheah
> > > > http://www.tryiis.com/
> > > > http://support.microsoft.com/
> > > > http://www.msmvps.com/bernard/
> > > >
> > > >
> > > >
> > > > "Bill Bean" <Bill Bean@discussions.microsoft.com> wrote in message
> > > > news:08A07406-D8F0-4BDF-8D72-72A47948E147@microsoft.com...
> > > > >
> > > > >
> > > > > "Jacqueline Jaynes [MSFT]" wrote:
> > > > >
> > > > > > The results from the SSLDiag basically say that the certificate
is
> > > > invalid.
> > > > > >   Run thru the following article:
> > > > > > http://support.microsoft.com/default.aspx?scid=KB;EN-US;228984
> > > > > >
> > > > > > It explains how to generate a certificate using Certificate
> > Authority.
> > > > >
> > > > > We know how to generate certificate requests and issue the
> > certificates.
> > > > We
> > > > > have done this many times.  The problem is specific to the one
Windows
> > > > 2003
> > > > > server (we have other Windows 2003 servers that work perfectly).
We
> > have
> > > > > configured this server as a very secure bastion host.  A similar
> > > > > configuration on Windows 2000 worked without problems.  But we are
> > unable
> > > > to
> > > > > install a certificate successfully on the secure 2003 machine.
> > > > >
> > > > > We assume that this is a problem with ACLs or some other security
> > setting.
> > > > > We have tried to give the Everyone account administrator
priviledges
> > prior
> > > > to
> > > > > requesting/installing the certificate, to no avail.
> > > > >
> > > > > We have also run filemon to examine file access requests while we
are
> > > > > requesting/installing the certificate.  We do not see any failed
> > requests.
> > > > >
> > > > > We have also set auditing on all files to report failures, and
don't
> > find
> > > > > any problems in the event logs.
> > > > >
> > > > > Any suggestions would be greatly appreciated.
> > > > >
> > > > > Bill Bean
> > > > >
> > > > >
> > > > > >
> > > > > > Hope this helps
> > > > > >
> > > > > > Thank you,
> > > > > >
> > > > > > Jackie Jaynes [MSFT]
> > > > > > Microsoft IIS
> > > > > > JackieJa@online.microsoft.com
> > > > > >
> > > > > > Please do not send email directly to this alias. This
> > > > > > is our online account name for newsgroup participation only.
> > > > > >
> > > > > > This posting is provided "AS IS" with no warranties, and confers
no
> > > > rights.
> > > > > >  You assume all risk for your use. © 2001 Microsoft
Corporation.
> > All
> > > > rights
> > > > > > reserved.
> > > > > >
> > > > > >
> > > >
> > > >
> > > >
> >
> >
> >

Relevant Pages