Saturday, July 27, 2013

Error opening SSL protected web sites running on IIS from a Windows XP computer

Recently I have experienced an error accessing a HTTPS web site using Internet Explorer 8. Even this is not the most current setup I thought I should share what happened.

1. A SSL certificate is installed on the Windows Server and is configured in IIS on the default web site or any other web site you have.

2. The client is a Windows XP machine and you use Internet Explorer to access the web site. (The problem does not occur if you use Chrome or Firefox.)

3. The problem: IE reports a "Internet Explorer cannot display the webpage" immediately when you try to access the web site. This is the same message you see if the web site or server does not exist or the DNS name cannot be resolved.

4. Accessing the same web site from Windows 7 using Internet Explorer works with no issues.

So what is wrong?

To investigate the problem I used Fiddler and the information from the server's event log that the browser and the web server could not found a common encryption cipher.
Because the server was just using the default settings I thought it would be good to verify the local machine's certificate store.
So I run a certutil.exe -store my on the server and I found out that the SSL certificate was installed using the Microsoft Strong Cryptographic provider. So I exported it and I have imported it using the certutil.exe -importpfx command to the Microsoft RSA SChannel Cryptographic Provider CSP. After that the access from the XP machines worked again.

btw: Qualys runs a free service with a excellent test drive for SSL web sites (including explanations what and why to configure) at https://www.ssllabs.com/ssltest/