Search results matching tag 'SSL Certificate'

IIS7 SSL Binding to All Addresses

Kortekk — Fri, 06 Nov 2009 19:22:55 GMT

My server has got IIS7 with two sites Site1 and Site2. I have them each on their own distinct Ipv4 address, each on their own separate certificate, and both are on port 443.

The issue I am experiencing is that if I take Site1 offline, the server is still responding to ssl on that site's address and port - even though I cannot browse to the site via a web broswer. If I take both Site1 and Site2 offline, then the server no longer responds to ssl requests. It looks to me like IIS7 is binding to all the addresses on the server. If I create a new arbirtrary binding on Site1 and run netstat, i see it being opened on the address bound to Site2.

I have tried editing the applicationhost.config file to supply host headers to the ssl bindings since you cannot through the GUI. I have also tried to create listener ip addresses using 'netsh http add iplisten'. Nothing has helped so far. Is there any way to close down the port when that particular site is brought down?

IIS 7.5 binding port 443 of all IP addresses ?

demvin — Sun, 21 Jun 2009 22:42:39 GMT

Hi, I'm playing with Windows Server 2008 R2 RC Web edition and I'm having a problem where I have a website which has a HTTPS binding on a specific IP address, yet instead of binding only to this address, IIS binds on all the IP addresses of the interface. No other site has a HTTPS binding. Sorry if this has been answered before, but I didn't find it. Thanks ! Vincent

Windows 2008, IIS 7 Drops SSL Certificate after Reboot

neilos — Mon, 15 Jun 2009 14:17:32 GMT

Hi All,

We have a server running Windows Server 2008 Ent Edn SP1 and have one website configured in IIS that is bound to both HTTP and SSL traffic. Every time we reboot the server the SSL cerificate is dropped, we have the following registered in the system event log:

HTTPEvent - 15300 (Warning)
SSL Certificate Settings deleted for Port : 192.168.152.94:443 .

HTTPEvent - 15016 (Error)
Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number.

I've had a look online and tried assigning it too all IPs rather than a specific one but still the SSL cert gets dropped, please can someone advise on how to fix this issue.

Regards
Neilos

SSL certificates required for 3 sites on same domain

colemanmcc — Mon, 04 May 2009 19:08:32 GMT

I'm slightly confounded as to if what I'm trying to do is possible, maybe someone can shed some light...

I've got an Exchange Server with Outlook WebAccess secured with an SSL cert for its domain (mail.domain.com). I've got 2 other IIS servers I want to make available publicly, our accounting front-end and a Sharepoint server, and I've configured each one to be available by listening on different port numbers for each, 6000 and 7000 respectively. So mail.domain.com/exchange hits OWA, mail.domain.com:6000 hits accounting, and mail.domain.com:7000 hits Sharepoint. This all works fine without tossing SSL into the ring.

But since our SSL cert is bound to the "mail" subdomain, shouldn't I logically be able to have the other two sites on the other ports SSL secured? I even set the extra two IIS machines to listen on 6001 and 7001 for SSL, but it seems the client-side browser when hitting https://mail.domain.com:6001, I just get a 404, as if IE makes "https" requests automatically via 443, rather than my redefined special port.

Any ideas/enlightenment would be appreciated.

Installing Multiple SSL in single IIS 6.0

swamik — Wed, 28 Jan 2009 09:40:43 GMT

Hi All:

We have a requirement of installing Multiple SSL certicates of 20 different websites which are all hosted in single IIS 6.0(Windows Server 2003 is the OS)

Using host header, we were able to host these 20 sites in an single IIS. But like to know how to install and configure 20 SSL certificates for these 20 domains which are in single IIS 6.0.

Please help

ASP permission problem - HTTP Error 401.3

JayRO — Sat, 10 Jan 2009 18:25:06 GMT

Problem: a specific Global Security Group can not load ASP pages (but can load HTML pages).

Goal: allow access to the secure website files and directories according to Global Group membership. This is a medical industry customer, so HIPAA compliance is mandatory (i.e. file access and restrictions must be thoroughly configured and maintained).

Environment: Windows 2003 Server, Std. Ed., single server with Active Directory. IIS is serving a secure website to employees and customers (amongst other non-related functions). IIS has been configured with a commerical Server Certificate to encrypt communication betweeb the server and clients on the internet. Anonymous access has been disabled, so users are required to log in to the website with their username/password. (This was a 2000 Server, upgraded to 2003). I created a disk partition just for website files.

Detail: The employees are members of the Global Group 'Domain Users'. No problems for the employees to access the website. The customers are members of the Global Group 'Web Site Users' (and removed from Domain Users group). There is a virtual directory mapped at the root level of the website named 'CustomerStuff' that maps to the 'CustomerFiles' directory (located at another drive/directory location).

In the CustomerFiles directory, I created a simple test.html page which the customer can browse to successfully. I copied the test.html to test.asp (leaving the HTML markup as-is, no ASP scripting added), and browsing for the customer is denied: "HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource."

By adding the 'Web Site Users' group to 'Domain Users' group, then browsing ASP pages succeeds. This solution is not acceptable, as the customers would then have unauthorized access to sensitive patient information.

Attempts to resolve:
- The permissions for test.html and test.asp are identical (being in the same directory, access to the directory is not an issue). I am fairly certain this is NOT a file permissions issue. I believe this to be some type of process level or possibly registry access permissions issue.
- Using SysInternal's "Process Monitor" app, I have repeatedly monitored browsing of test.html and test.asp both successful and unseccessful access. Absolutely nothing presents itself as access denied in the Process Monitor log, and I can not detect where the process becomes different for the 401.3 error.
- I have turned on failure auditing for:

- System drive (including entire WINNT structure).
- entire partition<> for ClientFiles,
- entire partiton for website files
- HKLM in the registry
- all Audit Policies available in GPO

No FAILURE entries are to be found in the Security log.
<>
I have attempted every trick I know of (and could find on the internet) to determine what is causing the 401.3 access denied error. I have also tried numerous tweaks to file structure and User Rights permissions in an effort to find what is needed to allow the ASP page to load (but I am very hesitant to be too aggressive opening permissions, as this site needs to stay secure).

Thanks in advance for any ideas, as I now have over 10 hours troubleshooting this issue.

--Jay Ohman

Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!!

stamtarm — Mon, 05 Jan 2009 04:15:03 GMT

I have tried several times, revoke and replace certificate, and asked Verisign for help too. But at the end it still failed.

Error message are shown as below:

- When installing the certificate:

"Failed to install certificate, keyset does not exists"

- When trying to export the private key using MMC function, the option for "Export private key" is disabled and it says "Notes: The associated private key cannot be found. Only the certificate can be exported."

I have changed the permission of the administrator and system account to Full Control for the following folders and files already:

Folders

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA

All files inside the following folder

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

Please kindly assist!! Thank you very much!!

sta

Processing SSL certificate response fails.

Tyrven — Fri, 21 Nov 2008 22:56:03 GMT

Summary: When processing an SSL certificate response in IIS, a private key is not generated with the certificate and, therefore, SSL does not function on the site. IIS and Certificates.mmc believe there is a private key, but when I try to export one it fails with "The associated private key cannot be found". Details below.

Symptoms: In IIS's "Web Server Certificate Wizard" I am able to complete the "Process the Pending Request" step as expected. Afterwards, however, the website properties do not allow me to "View Certificate". If I return to the wizard it acts as though I don't have a certificate. If I choose "Assign an existing certificate" and select the recently imported certificate, however, then I am unable to connect to the site via HTTPS ("Internet Explorer cannot display the webpage").

Private Key: If I view the certificate in the MMC Certificates snap-in, I can see the certificate. If I open it, I am informed "You have a private key that corresponds to this certificate". When I try to export it, however, the option to export the private key is disabled; the dialogue box notes: "The associated private key cannot be found. Only the certificate can be exported."

Troubleshooting: Clearly, the processing of the SSL certificate response is failing - but why? No error is provided when processing the response, nor does the event log contain any relevent errors or warnings. I've tried this with both self-signed certificates as well as a GeoTrust-issued certificate; same result.

Note: This server contains a number of SSL sites. I can use certificates issued in the past or which have been imported (with private keys) from other servers without a problem; the ports, router, bindings, etc are setup properly. Using a newly issued certificate, however, fails. I could work around this by requesting/processing the certificate on another server; as this is our primary web server, however, I'd like to resolve the underlying issue.

Tyrven