Bug in IIS 7.5 (W2K8R2): Unable to bind a wildcard SSL certificate to IIS website unless marked exportable
To the Windows Server Team: · Is this a bug or am I doing something wrong? o If it is a bug, what is the ETA for a patch? o If it is not a bug, what am I doing wrong? Environment: · Server: Windows Server 2008 R2 o Clean install; enable IIS · Certificate: Wildcard SSL certificate (in this case, from DigiCert) o Install *.domain.com certificate per vendor instructions; mark as exportable (used W2K3 OS) o Export a star_domain_com.pfx file (to be used below in W2K8R2 environment) Steps to reproduce problem: 1. Log in as administrator on W2K8R2 server 2. Double-click on star_domain_com.pfx to launch Wizard; complete Wizard marking leaving the “exportable” option unchecked. 3. Ensure that the Certificate is properly installed (including all intermediate certificates, either manually or by using the vendor Certificate Utility (i.e., https://www.digicert.com/util/ in the case of DigiCert) 4. Create a new website, site1.domain.com, using IIS Manager (i.e., “Add Web Site…” and fill in site name, content directory, host name, etc. … in my case, I started by creating the site with a HTTP, port 80, binding) 5. Add SSL binding to the site , using “Edit Site” (i.e., “Bindings…”, “Add…” with parameters HTTP, All Unassigned IP addresses, Port 443, and SSL certificate *.domain.com) · This generates the “Add Site Binding” error: “There was an error while performing this operation. Details: A specified login session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)” 6. Unable to associate certificate with this binding. Work-around: First REMOVE the certificate using IIS Manager (i.e., select “Server Certificates” and take the “Remove” action), then follow the same steps above, EXCEPT in Step 2, mark the certificate as “exportable” then 5. Add SSL binding (i.e., as above but without getting the error) 6. Use “appcmd” to add the host header mapping: appcmd set site /site.name:site1 /bindings.[protocol='https',bindingInformation='*:443:'].bindingInformation:*:443: site1.domain.com 7. Verify the installation (e.g., using vendor website such as http://www.digicert.com/help/) Primary concern with work-around: One of the problems with the work-around is that the certificate is now exportable by anyone who has access to this server … this is not a “security best practice” for wildcard certificates. Additional references: · http://msdn.microsoft.com/en-us/library/ms819978.aspx ... see fifth error under “Kerberos Tokens (Including Kerberos QuickStart)”, which in turn references http://msdn.microsoft.com/en-us/library/ms819982.aspx · http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/4a2bcc5b-8845-4bda-a6ae-70a0503e9a6f (a similar problem, but in the context of a much more complex environment; the steps above demonstrate that this “bug” is an issue in even the most basic installations)
July 8th, 2010 8:41pm
This error can occur if the certificate's private key provider information is invalid. On the Windows Server 2008 R2 server, run the following command: certutil -p Pfxpassword -v -dump star_domain_com.pfx In the output, look for a section labeled CERT_KEY_PROV_INFO_PROP_ID(2). What are the values for the following entries? I include the expected values in parenthesis. Provider = (Microsoft RSA SChannel Cryptographic Provider) ProviderType = (12) Flags = (0) KeySpec = (1) If you're values are different, then remove the certificate again and import it via the command line using the following command: certutil -p Pfxpassword -csp "Microsoft RSA SChannel Cryptographic Provider" -importpfx star_domain_com.pfx AT_KEYEXCHANGE,NoExport,NoProtect This should import the PFX file with the correct settings. Try to bind the certificate to the site now. Hope this helps, Jonathan Stephens This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 9th, 2010 12:40am
Hi Jonathan – Thanks for your post … I think you’re on the right track. Here are the details: Dumping the properties provided the following information: Provider = Microsoft RSA SChannel Cryptographic Provider ProviderType = c Flags = 20 KeySpec = 1 -- AT_KEYEXCHANGE The values for ProviderType and Flags are different than the expected values you provided, so I removed and re-imported the certificate with the certutil parameters you specified. To test the results, I created via IIS Manager three websites (i.e., site1.domain.com, site2.domain.com, and site3.domain.com) and bound the certificate (using IIS manager) and host header mappings (using appcmd) to each site. Everything worked as expected. To continue the testing, I deleted one of the sites (via IIS Manager) and got the following warning: Confirm Remove. The certificate associated with the HTTPS binding of this site is also assigned to another site’s binding. Deleting this site will cause the HTTPS binding of the other site to be unusable. Do you still want to continue? Selecting “Yes” removes the website, but in fact removes the certificate binding from all the other sites. Is there a certutil parameter that needs to be tweaked to address this issue? Thanks!
July 9th, 2010 4:20pm
Hi, The warning can occur if a certificate is assigned to multiple sites. Since it is more related to IIS, I suggest that you post to the IIS forum for assistance. http://forums.iis.net/ Thanks for your understanding. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 12th, 2010 3:27am
Thanks Joson ... Per your suggestion, this issue has been cross-posted to http://forums.iis.net/p/1169512/1949984.aspx in case members of that site have additional suggestions. None-the-less, additional suggestions to this TechNet post would be greatly appreciated.
July 12th, 2010 4:18pm
Hi Jonathan – Over the weekend, I made a tiny bit of progress on this issue. I imported the *.domain.com wildcard certificate (via the .pfx file that was originally generated on a W2K3 server) onto a W2K8 server and then re-exported it to a new .pfx file ... the logic/hypothesis was that perhaps creating the .pfx file on a W2K8 server rather than on a W2K3 server might help (e.g., perhaps there were some changes in syntax that MS implemented for .pfx files between W2K3 and W2K8). I then used that new .pfx file to import the certificate to my W2K8R2 server without marking it exportable. And it did help just a little, I no longer get the “Add Site Binding” error noted in my original 7/8/2010 post [i.e., “There was an error while performing this operation. Details: A specified login session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)”] when attempting to bind the wildcard certificate to an IIS site. But I do still have the problem that I mentioned to you in my response to your 7/9/2010 post ... i.e., if I delete one of the websites to which the certificate was bound, then that action removes the certificate binding from all the other sites. Given this new information, do you have any suggestions on what I might try next? Thanks!
July 12th, 2010 7:09pm
Hi Jonathan & other TechNet colleagues – An update on my progress … Given that (as noted in my 7/12 response to your post) recreating the .pfx file helped resolve some of the issues, I thought I’d go a step further and have the wildcard cert re-issued on an IIS7 (rather than on IIS6) server and then import it (via a new IIS7-generated .pfx file) to my IIS7.5 server without marking it exportable. As before, when attempting to bind the wildcard certificate to an IIS site, I now avoid the “Add Site Binding” error noted in my original post [i.e., “There was an error while performing this operation. Details: A specified login session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)”]. Unfortunately, I still have the problem the problem that if I delete one of the websites to which the certificate was bound, then that action removes the certificate binding from all the other sites. Should I conclude that part of the issue is that .pfx files created by IIS6 don’t necessarily play well on IIS7? Do you (or anyone else) have other suggestions on how to completely resolve this issue?
July 13th, 2010 9:26pm
Colleagues — More on my last issue that if I delete one of the websites to which the certificate was bound, then that action removes the certificate binding from all the other sites. The following additional experimentation/research seems to indicate that this issue is inherent in the current Windows design and any work-around will involve manually editing XML files, etc. If this observation is correct, then Microsoft would need to make some fundamental changes to the functionally of their IIS Manager UI (or other command-line utilities). At a minimum, an appropriate work-around should be documented/posted (e.g., in a KB article)—basically, describing how to edit the applicationhost.config XML to remove the relevant *:443 binding before deleting a site. Action/Response Requested: Do folks agree with this conclusion? If so, what’s the appropriate pathway to engage Microsoft on this issue? Here’s a summary of the additional experimentation/research: · In my experimentation, it doesn’t matter whether, when using the IIS Manager UI, I first remove the HTTPS binding and then delete the site or simply delete the site. In either case, removing a site or removing the SSL binding from a site results in the certificate binding disappearing from all other websites. · Per http://msdn.microsoft.com/en-us/library/ms186362.aspx, “Registering an SSL certificate for an IP:Port affects all applications that listen on that IP:Port. … This is a limitation of the kernel-mode HTTP driver (Http.sys).” This appears to imply that IP:Port bindings are all or nothing hence the warning is reflecting something fundamental to the Windows design (i.e., the warning: “Site Bindings: The certificate associated with this binding is also assigned to another site’s binding. Deleting this binding will cause the HTTPS binding of the other site to be unusable. Do you still want to continue?”). · I also found a posting on IIS.NET (http://forums.iis.net/t/1149714.aspx) that basically says that it is an inherent limitation of the IIS Manager UI that any time you modify an IP:Port binding, it affects all sites using that IP:Port combination. In my case, the IP:Port is “*:443” and that is common to all the HTTPS sites I’m working with. A response by a Microsoft person (Anil Ruia) suggests that the only workaround is to directly edit the applicationhost.config XML (located in %windir%\System32\inetsrv\config). Advice/counsel?
July 14th, 2010 6:45pm
The issue is with the Microsoft.Web.Administration code and how it handles sites with the same IP/Port combination. The IIS manager uses MWA and therefore is affected the same way. I fully agree that we need better documentation on this - and will be working with our content team to create that. However - an alternate way to delete sites without having to edit the config file, or even to edit bindings that share the same IP/Port combinations with other sites is to use appcmd.exe. It is located in c:\windows\system32\inetsrv. It needs to be run from an administrator command prompt. To delete a site it would just be: appcmd delete site "<sitename>"
July 16th, 2010 8:46pm
Here is a link to documenation for the issue of losing the wildcard certificate on active sites after deleting a site that shares that certificate (same IP/Port, different host header): http://support.microsoft.com/kb/2405568
September 9th, 2010 8:38pm
Thanks Patty for following up on this and creating the knowledge base article about wildcard certificates, etc. I appreciate it!
April 20th, 2011 9:07am