IIS 5 & IIS 6
IIS Broke after the latest May 8, 2012 Patches with 403.7 error
Last post May 22, 2012 12:16 PM by BMartin
May 16, 2012 02:47 PM|GeorgeFurbee|LINK
I need some help... and fast (please) I have 2 servers that I have tested this on and both broke. Both systems are Windows 2003 Standard, both use IIS6 and both IIS setups are configured alike. These setup are set for CAC/Smart Card and require client certificate.
After patching these systems both websites get the IIS Error 403.7 Forbidden: Client Certificate Required. I can remove the require client and make it accept and it works but bypasses the use of the CAC/Smart Card client certificate. Uninstalled the patches
install and it is still broke, made sure all certificates were valid in the trust root certs, and updated them with the microsoft update cert exe and the dod update cert. These same certs work on 2 other systems but not these systems. New warning in the event
log after this happened is Event ID 36885 Schannel and I downloaded the hotfix and ran it and nothing. It also says to remove expired/unused certs but I am not sure what all is really used. Anyone else having issues, and can anyone help? Two straight days/nights
at this with no luck and feeling the pressure. I also removed .Net Framework 4 Client and .Net Framwork 4 Extended then ran a .Net tool to completely clean the .Net 4 Framework. We believe these are related to the .Net patches because they were broke out seperate
and no problems until they were installed. KB2656368, KB2656405, and KB2604121
May 16, 2012 09:48 PM|lextm|LINK
May 16, 2012 11:21 PM|GeorgeFurbee|LINK
The problem I am having only happened after I patched the system. I rolled back the patches cleaned the registry and ran the hotfix for the warning that pops up everytime I set IIS to require client cert. The warning is event id 36885. I deleted like 30
certs but not sure which ones to delete, I just looked for ones that didn't look like I needed them. I am also getting a WinRM warning now event id 10149. I just want to get IIS back up and running (correctly) so any ideas would be great.
May 18, 2012 10:57 AM|BMartin|LINK
I have been having the same problem as you have on two different servers. Tried backing out of the patches, reinstalling the service pack, and then installed a fix. Right now some of the users are able to connect with their CACs and other can not. Had
to turn off certficates required in IIS as well. The interesting issue I have come across is my CAC works on one computer but not another. The computer it works on is running ActivClient 126.96.36.199 and the computer it doesn't work on is running Windows 7
Professional with not certificate software installed. We tried to clear our IE history and SSL cache and reboot but the did not resolve the problem. So right now I think it is not the server but may be a client configuration issue.
I just came across this blog from 2007 that may give us some assistance
http://blogs.msdn.com/b/saurabh_singh/archive/2007/06/09/client-certificate-revisited-how-to-troubleshoot-client-certificate-related-issues.aspx. I am trying some of the steps to see if it works.
If nothing else works, I am also setting up a clean Windows 2008 server with the latest IIS to see if this resolves the problem.
Let me know if anything works for you and good luck!
May 21, 2012 08:55 AM|GeorgeFurbee|LINK
Thanks for the information. I am going to check out the metabase and see if some of the things they are saying will fix this and if I can get this resolved. The KB's that were installed are: KB 2659262, 2676562, 2686509 (all part of MS12-034) and 2695962
(ActiveX-killbit) Plus some office ones which I do not believe to be the ones that are breaking the system. All of these have been un-installed and that alone does not fix the problem. We had to do a system restore to get the server/IIS to run correct. The
problem is we are required to run the patches so a fix is something I must find.
Open to all ideas... Thanks
May 21, 2012 02:31 PM|GeorgeFurbee|LINK
Okay so today we found out is was none of the above mentioned patches, but it was another patch that we had left from the end of last month. KB931125 Root Cert update, for Windows 2003 server it came out on 4/27 and we rolled it with our patches and thought
it was a .Net patch, then thought it was a Server patch. The problem I am having now is I can not find this update to uninstall. Anyone have an idea on how to uninstall root cert updates?
Thanks to everyone who helped.
May 22, 2012 09:39 AM|GeorgeFurbee|LINK
The trick to "fixing" this ended up being to delete a bunch of root certs. This may not work for everyone but it worked for us. Here is a link of the certs you need to keep
We deleted like 60% or so off all of our root certs. For us it was easy to do because of who access our site and the sites we access with the server. It took a lot of effort to figure this out but it works.
May 22, 2012 12:16 PM|BMartin|LINK