Archive: February, 2011

500 Internal Server Error while using Client Certificate Mapping in IIS 7.

2 comments February 26th, 2011

I have a client (he reads my blog from time to time, so Hello if you’re reading this. ;o) who experienced an issue I hadn’t run across before.  They are migrating their MOSS 2007 environment to another location and were basically trying to setup the same version of MOSS but virtualized on Windows 2008/IIS 7 rather than physically on Windows 2003/IIS 6.

They have several Smart Card/CAC authenticated extended sites for external users.  They were using the IIS Certificate Mapping feature which is a bit different and causes some of extra work since their isn’t actually a GUI in IIS 7 like there was in IIS 6. 

We got everything configured properly using the following article if you’re interested in implementing this in your environment:

Configuring Many-to-One Client Certificate Mappings for IIS 7/7.5

Even though we had all this configured properly, the MOSS sites would not resolve, they rendered a non-specific 500 Internal Server Error instead, fun stuff right?

After hours of troubleshooting the configuration and finally bringing on an IIS expert from Microsoft’s support team, they found out that this issue was being caused by the two registry keys below. These were added as part of a security update that was designed as a workaround to a TLS/SSL vulnerability.

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\
  • DisableRenegoOnClient=1
  • DisableRenegoOnServer=1 

These registry keys are mentioned in KB 977377. We resolved the issue by setting both of these to 0 (zero) and rebooting the server. 

So essentially remnant registry settings from the following security patch caused this issue:

Microsoft Security Advisory: Vulnerability in TLS/SSL could allow spoofing KB977377

The TLS/SSL vulnerability was actually fixed rather than worked around in:  

MS10-049: Vulnerabilities in SChannel could allow remove code execution

and replaced the above KB 977377.

Hopefully the above resolution will help someone else…

Enjoy, and let me know if you come across this same issue in your environment.