Description of the changes to network retrieval of PKI objects in Windows Vista Service Pack 1 and in Windows Server 2008

During certificate path validation, Windows Vista Service Pack 1 (SP1) and Windows Server 2008 may retrieve objects such as certificates and certificate revocation lists (CRLs) from the network. Windows Vista SP1 and Windows Server 2008 support this network retrieval functionality by using the FILE protocol, the HTTP protocol, and the LDAP protocol.

By default, the FILE protocol for network retrieval of public key infrastructure (PKI) objects is disabled to improve security during the network retrieval process. Additionally, the network retrieval process that uses the LDAP protocol or the HTTP protocol is modified in Windows Vista SP1 and in Windows Server 2008. For more information about these changes, see the �More Information� section.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Changes in the network retrieval process that uses the FILE protocol

By default, the network retrieval process that uses the FILE protocol is disabled for certificate operations. If you want to enable this feature, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate the following registry subkey, and then click it:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
   Note For 32-bit applications on 64-bit platforms, locate the following registry subkey, and then click it:
   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
3. Right-click Config, point to New, and then click DWORD Value.
4. Type AllowFileUrlScheme, and then press ENTER.
5. Right-click AllowFileUrlScheme, and then click Modify.
6. In the Value Data box, type 0x01, and then click OK.
7. On the File menu, click Exit.

This setting reverts the computer to the behavior of Windows XP Service Pack 2 (SP2), of Windows Server 2003 SP1, and of the release version of Windows Vista.

Changes in the network retrieval process that uses the LDAP protocol

By default, the PKI client in Windows Vista SP1 and in Windows Server 2008 signs and encrypts all LDAP traffic for PKI objects. Additionally, if authentication is required only for network retrieval, Kerberos authentication is performed. For testing, you may want to disable the functionality in Windows Vista SP1 and in Windows Server 2008 that signs and encrypts LDAP traffic. To do this, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate the following registry subkey, and then click it:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
   Note For 32-bit applications on 64-bit platforms, locate the following registry subkey, and then click it:
   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
3. Right-click Config, point to New, and then click DWORD Value.
4. Type DisableLDAPSignAndEncrypt, and then press ENTER.
5. Right-click DisableLDAPSignAndEncrypt, and then click Modify.
6. In the Value Data box, type 0x01, and then click OK.
7. On the File menu, click Exit.

After you apply this setting, either NTLM credentials or Kerberos credentials are used for authentication. Additionally, the Sign flag and the Encrypt flag are not set in the LDAP requests. This setting reverts the computer to the behavior of Windows XP SP2, of Windows Server 2003 SP1, and of the release version of Windows Vista.

Changes in the network retrieval process that uses the HTTP protocol

In the PKI client in Windows Vista SP1 and in Windows Server 2008, the network retrieval process that uses the HTTP protocol performs authentication only for the proxies that are locally configured. Whether authentication is performed depends on the error message that is returned from the proxy. If the proxy returns the following error message, authentication is performed:If the proxy returns the following error message, authentication is not performed:Note If proxy authentication is required, both Kerberos authentication and NTLM authentication will be performed.

If you want to change this default behavior, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate the following registry subkey, and then click it:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
   
   Note For 32-bit applications on 64-bit platforms, locate the following registry subkey, and then click it:
   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
3. Right-click Config, point to New, and then click DWORD Value.
4. Type EnableInetUnknownAuth, and then press ENTER.
5. Right-click EnableInetUnknownAuth, and then click Modify.
6. In the Value Data box, type 0x01, and then click OK.
7. On the File menu, click Exit.

After you apply this setting, authentication is now performed when the proxy returns an "HTTP 401" error message. This setting reverts the computer to the behavior of Windows XP SP2, of Windows Server 2003 SP1, and of the release version of Windows Vista.