IIS 6 and SSL problems

sweetleaf · 06-23-2008, 04:27 AM

Hi

I'm running my website on W2003 with IIS 6. The non secure version of the site works fine, but I'm having trouble getting the secure version working.

I've brought and installed the certificate, which according to IIS is fine. I installed the MS IIS diag tool and that claims that strmfilt.dll is not loaded into lsass.exe. It tells me to check the ISAPI filters for sspifilt.dll, which isn't present, so I try to search for it, and I can't find it. I tried downloading a version from the web, but IIS didn't like.

The only info I found on the MS website was only relevant to IIS5 and earlier.

So, do I really need sspifilt.dll as it doesn't seem to be available on the server and I can't find it on the W2003 CD? And if I do need it, where can I get the right version?

Any help much appreciated.

Thanks
Jo

tannerjohn · 07-01-2008, 06:42 AM

In IIS is the ssl port set to the default of 443?
Are you testing internally or externally, and if externally do you have a perimeter firewall needing port 443 opened or published?

sweetleaf · 07-02-2008, 08:44 AM

Hi, thanks for replying :)

Yes, the SSL port is set to 443 in IIS
I've tried it internally and externally. The firewall is open and used to work OK with https going to the email server for secure remote email (firewall is now pointing to the webserver).

The log for the iis diagnostic tool is:

System time: Mon, 30 Jun 2008 14:13:48 GMT
ModuleFileName: C:\Program Files (x86)\IIS Resources\SSLDiag\SSLDiag.exe version: 1.1:34.0
CommandLine: "C:\Program Files (x86)\IIS Resources\SSLDiag\SSLDiag.exe"
ProcessorArchitecture: AMD64
#WARNING:The executable for SSL Diagnostics is not matching your platform hence some features are disabled. Please install the AMD64 version of SSL Diagnostics.
OS: Windows 2003 Service Pack 2
IIS6 - World Wide Web Publishing (W3SVC) service is installed

[ HKLM\System\CurrentControlSet\Services\HTTPFilter ]
ImagePath = C:\WINDOWS\system32\lsass.exe
Parameters\CertChainCacheOnlyUrlRetrieval = True(default)
EnableKernelSsl = False(default)
strmfilt.dll loaded into process 1896 (w3wp.exe)
#WARNING:strmfilt.dll is not loaded into lsass.exe

[ SChannel Info ]
ServerCacheEntries = 0
ServerActiveEntries = 0
ServerHandshakes = 0
ServerReconnects = 0
CacheSize = 10000

[ W3SVC/1 ]
ServerComment = [removed]
ServerAutoStart = True
ServerState = Server started
#Could not impersonate server account
SSLCertHash = 77 9a 3d 32 24 e5 8d 04 8e b2 30 1a a7 25 22 4c aa 06 7a d8
SSLStoreName = MY
#CertName = [removed]
#You have a private key that corresponds to this certificate
#ContainerName='{A4A76EEB-4FDB-447F-B88E-EC310D9A42BC}'
#ProvName='Microsoft RSA SChannel Cryptographic Provider' ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE
#Subject: C=GB, S=London, L=London, O="[removed]", OU=[removed]l, CN=[removed]
#Issuer: C=ZA, S=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA, E=premium-server@thawte.com
#Validity: From 23/05/2008 01:00:00 To 24/05/2009 00:59:59
CertVerifyCertificateChainPolicy succeeded
SecureBindings = 89.0.0.1:443:

Diagnostics complete, system time: Mon, 30 Jun 2008 14:13:49 GMT

06-23-2008, 04:27 AM	#1 (permalink)
sweetleaf Registered User Join Date: Jun 2008 Posts: 2 OS: XP SP3	IIS 6 and SSL problems Hi I'm running my website on W2003 with IIS 6. The non secure version of the site works fine, but I'm having trouble getting the secure version working. I've brought and installed the certificate, which according to IIS is fine. I installed the MS IIS diag tool and that claims that strmfilt.dll is not loaded into lsass.exe. It tells me to check the ISAPI filters for sspifilt.dll, which isn't present, so I try to search for it, and I can't find it. I tried downloading a version from the web, but IIS didn't like. The only info I found on the MS website was only relevant to IIS5 and earlier. So, do I really need sspifilt.dll as it doesn't seem to be available on the server and I can't find it on the W2003 CD? And if I do need it, where can I get the right version? Any help much appreciated. Thanks Jo

07-01-2008, 06:42 AM	#2 (permalink)
tannerjohn Registered User Join Date: Jun 2008 Posts: 43 OS: vista 64bit	Re: IIS 6 and SSL problems In IIS is the ssl port set to the default of 443? Are you testing internally or externally, and if externally do you have a perimeter firewall needing port 443 opened or published? __________________ Hope it helps. My notes: headtreez.com/site/JohnsHeadTree

07-02-2008, 08:44 AM	#3 (permalink)
sweetleaf Registered User Join Date: Jun 2008 Posts: 2 OS: XP SP3	Re: IIS 6 and SSL problems Hi, thanks for replying :) Yes, the SSL port is set to 443 in IIS I've tried it internally and externally. The firewall is open and used to work OK with https going to the email server for secure remote email (firewall is now pointing to the webserver). The log for the iis diagnostic tool is: System time: Mon, 30 Jun 2008 14:13:48 GMT ModuleFileName: C:\Program Files (x86)\IIS Resources\SSLDiag\SSLDiag.exe version: 1.1:34.0 CommandLine: "C:\Program Files (x86)\IIS Resources\SSLDiag\SSLDiag.exe" ProcessorArchitecture: AMD64 #WARNING:The executable for SSL Diagnostics is not matching your platform hence some features are disabled. Please install the AMD64 version of SSL Diagnostics. OS: Windows 2003 Service Pack 2 IIS6 - World Wide Web Publishing (W3SVC) service is installed [ HKLM\System\CurrentControlSet\Services\HTTPFilter ] ImagePath = C:\WINDOWS\system32\lsass.exe Parameters\CertChainCacheOnlyUrlRetrieval = True(default) EnableKernelSsl = False(default) strmfilt.dll loaded into process 1896 (w3wp.exe) #WARNING:strmfilt.dll is not loaded into lsass.exe [ SChannel Info ] ServerCacheEntries = 0 ServerActiveEntries = 0 ServerHandshakes = 0 ServerReconnects = 0 CacheSize = 10000 [ W3SVC/1 ] ServerComment = [removed] ServerAutoStart = True ServerState = Server started #Could not impersonate server account SSLCertHash = 77 9a 3d 32 24 e5 8d 04 8e b2 30 1a a7 25 22 4c aa 06 7a d8 SSLStoreName = MY #CertName = [removed] #You have a private key that corresponds to this certificate #ContainerName='{A4A76EEB-4FDB-447F-B88E-EC310D9A42BC}' #ProvName='Microsoft RSA SChannel Cryptographic Provider' ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE #Subject: C=GB, S=London, L=London, O="[removed]", OU=[removed]l, CN=[removed] #Issuer: C=ZA, S=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA, E=premium-server@thawte.com #Validity: From 23/05/2008 01:00:00 To 24/05/2009 00:59:59 CertVerifyCertificateChainPolicy succeeded SecureBindings = 89.0.0.1:443: Diagnostics complete, system time: Mon, 30 Jun 2008 14:13:49 GMT