Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Description of the changes to network retrieval of PKI objects in Windows Vista Service Pack 1 and in Windows Server 2008


View products that this article applies to.

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

↑ Back to the top


Summary

During certificate path validation, Windows Vista Service Pack 1 (SP1) and Windows Server 2008 may retrieve objects such as certificates and certificate revocation lists (CRLs) from the network. Windows Vista SP1 and Windows Server 2008 support this network retrieval functionality by using the FILE protocol, the HTTP protocol, and the LDAP protocol.

By default, the FILE protocol for network retrieval of public key infrastructure (PKI) objects is disabled to improve security during the network retrieval process. Additionally, the network retrieval process that uses the LDAP protocol or the HTTP protocol is modified in Windows Vista SP1 and in Windows Server 2008. For more information about these changes, see the �More Information� section.

↑ Back to the top


More information

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Changes in the network retrieval process that uses the FILE protocol

By default, the network retrieval process that uses the FILE protocol is disabled for certificate operations. If you want to enable this feature, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following registry subkey, and then click it:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
    Note For 32-bit applications on 64-bit platforms, locate the following registry subkey, and then click it:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
  3. Right-click Config, point to New, and then click DWORD Value.
  4. Type AllowFileUrlScheme, and then press ENTER.
  5. Right-click AllowFileUrlScheme, and then click Modify.
  6. In the Value Data box, type 0x01, and then click OK.
  7. On the File menu, click Exit.
This setting reverts the computer to the behavior of Windows XP Service Pack 2 (SP2), of Windows Server 2003 SP1, and of the release version of Windows Vista.

Changes in the network retrieval process that uses the LDAP protocol

By default, the PKI client in Windows Vista SP1 and in Windows Server 2008 signs and encrypts all LDAP traffic for PKI objects. Additionally, if authentication is required only for network retrieval, Kerberos authentication is performed. For testing, you may want to disable the functionality in Windows Vista SP1 and in Windows Server 2008 that signs and encrypts LDAP traffic. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following registry subkey, and then click it:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
    Note For 32-bit applications on 64-bit platforms, locate the following registry subkey, and then click it:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
  3. Right-click Config, point to New, and then click DWORD Value.
  4. Type DisableLDAPSignAndEncrypt, and then press ENTER.
  5. Right-click DisableLDAPSignAndEncrypt, and then click Modify.
  6. In the Value Data box, type 0x01, and then click OK.
  7. On the File menu, click Exit.
After you apply this setting, either NTLM credentials or Kerberos credentials are used for authentication. Additionally, the Sign flag and the Encrypt flag are not set in the LDAP requests. This setting reverts the computer to the behavior of Windows XP SP2, of Windows Server 2003 SP1, and of the release version of Windows Vista.

Changes in the network retrieval process that uses the HTTP protocol

In the PKI client in Windows Vista SP1 and in Windows Server 2008, the network retrieval process that uses the HTTP protocol performs authentication only for the proxies that are locally configured. Whether authentication is performed depends on the error message that is returned from the proxy. If the proxy returns the following error message, authentication is performed:
HTTP 407: Proxy Authentication required
If the proxy returns the following error message, authentication is not performed:
HTTP 401: Access Denied
Note If proxy authentication is required, both Kerberos authentication and NTLM authentication will be performed.

If you want to change this default behavior, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following registry subkey, and then click it:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config

    Note For 32-bit applications on 64-bit platforms, locate the following registry subkey, and then click it:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
  3. Right-click Config, point to New, and then click DWORD Value.
  4. Type EnableInetUnknownAuth, and then press ENTER.
  5. Right-click EnableInetUnknownAuth, and then click Modify.
  6. In the Value Data box, type 0x01, and then click OK.
  7. On the File menu, click Exit.
After you apply this setting, authentication is now performed when the proxy returns an "HTTP 401" error message. This setting reverts the computer to the behavior of Windows XP SP2, of Windows Server 2003 SP1, and of the release version of Windows Vista.

↑ Back to the top


Keywords: KB946401, kbinfo, kbhowto, kbexpertiseinter

↑ Back to the top

Article Info
Article ID : 946401
Revision : 3
Created on : 4/10/2008
Published on : 4/10/2008
Exists online : False
Views : 635