TLS/SSL Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
TLS/SSL Tools and Settings
In this section
TLS/SSL Tools
TLS/SSL Registry Entries
TLS/SSL Group Policy Settings
Network Ports Used by Schannel
TLS/SSL Tools
The following tools are associated with TLS/SSL.
Dsa.msc: Active Directory Users and Computers
Category
Active Directory Users and Computers is a Microsoft Management Console (MMC) that is automatically installed when you install Active Directory. This tool also ships with the Administration Tools Pack (Adminpak.msi).
You can access the tool from the Start menu: To do this, click Start, point to Programs,point to Administrative Tools, and then click Active Directory Users and Computers.
Version compatibility
Active Directory Users and Computers runs on domain controllers that run Windows Server 2003 or Windows 2000 operating systems. You can use MMC to administer and publish information in the directory.
The Windows Server 2003 version of Active Directory Users and Computers can target domain controllers that are running Windows Server 2003 or Windows 2000 Server.
On administrative workstations that are running Windows XP Professional or Windows 2000, you can install the Windows Server 2003 Administration Tools Pack (Adminpak.msi) from the i386 folder on the Windows Server 2003 CD. This version of the Administration Tools Pack encrypts and signs Lightweight Directory Access Protocol (LDAP) traffic between the administrative tool client’s and domain controllers.
Note
- You cannot run the Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a computer that is running Windows XP Professional, Windows XP Home Edition, or Windows XP 64-Bit Edition Version 2003 without Windows XP Service Pack 1 (SP1).
You can use Active Directory Users and Computers to manage the following properties that are listed in the following table, which are associated with objects in Active Directory. Any changes you make affect certificate mapping for these objects.
Active Directory Users and Computers Object Management
| Property | Changes That Affect Schannel |
|---|---|
Computer objects |
|
Name Mapping Task |
Can add, edit or remove certificates. |
User objects |
|
Name Mapping Task |
Can add, edit or remove certificates. |
Published Certificates Tab |
Lists the X.509 certificates published for the user account. Can view, remove, and copy to file listed certificates. Can add new certificates from the local certificate store or from a DER Encoded Binary X509 (*.cer) or PKCS #7 (*.p7b) file. |
You can find more information about Active Directory Users and Computers on the TechNet Web site.
Eventvwr.msc: Event Viewer
Category
Event Viewer is included in the Windows Server 2003, Windows XP, and Windows 2000 operating systems.
Version compatibility
Event Viewer is supported for the Windows Server 2003, Windows XP, and Windows 2000 operating systems.
The system log contains Secure Channel (Schannel) events that are related to authentication.
Schannel Events
| Event ID | Severity | Description |
|---|---|---|
36864 |
Informational |
The Schannel security package has loaded successfully. |
36865 |
Error |
A fatal error occurred while opening the system cryptographic subsystem cryptographic module. Operations that require the SSL or TLS cryptographic protocols will not work correctly. The error code is error code. |
36866 |
Error |
The Schannel security package has failed to load. Operations that require the SSL or TLS cryptographic protocols will not work correctly. |
36867 |
Informational |
Creating an SSL [client| server] credential. |
36868 |
Informational |
The SSL [client| server] credential’s private key has the following properties:
The attached data contains the certificate. |
36869 |
Error |
The SSL [client| server] credential’s certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure. |
36870 |
Error |
A fatal error occurred when attempting to access the SSL [client| server] credential private key. The error code returned from the cryptographic module is error code. |
36871 |
Error |
A fatal error occurred while creating an SSL [client| server] credential. |
36872 |
Warning |
No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as Microsoft Internet Information Services (IIS), are not affected by this. |
36873 |
Error |
No supported cipher suites were found when initiating an SSL connection. This indicates a configuration problem with the client application or the installed cryptographic modules. The SSL connection request has failed. |
36874 |
Error |
An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed. |
36875 |
Warning |
The remote server has requested SSL client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This SSL connection request might succeed or fail, depending on the server’s policy settings. |
36876 |
Error |
The certificate received from the remote server has not validated correctly. The error code is error code. The SSL connection request has failed. The attached data contains the server certificate. |
36877 |
Warning |
The certificate received from the remote client application has not validated correctly. The error code is error code. The attached data contains the client certificate. |
36878 |
Warning |
The certificate received from the remote client application is not suitable for direct mapping to a client system account, possibly because the authority that issuing the certificate is not sufficiently trusted. The error code is error code. The attached data contains the client certificate. |
36879 |
Warning |
The certificate received from the remote client application was not successfully mapped to a client system account. The error code is error code. This is not necessarily a fatal error, as the server application might still find the certificate acceptable. |
36880 |
Informational |
An SSL [client| server] handshake completed successfully. The negotiated cryptographic parameters are as follows.
|
36881 |
Error |
The certificate received from the remote server has expired. The SSL connection request has failed. The attached data contains the server certificate. |
36882 |
Error |
The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate. |
36883 |
Error |
The certificate received from the remote server has been revoked. This means that the certificate authority that issued the certificate has invalidated it. The SSL connection request has failed. The attached data contains the server certificate. |
36884 |
Error |
The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is servername. The SSL connection request has failed. The attached data contains the server certificate. |
36885 |
Warning |
When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted. |
To find more information about “Event Viewer”, see “Event Viewer” on TechNet.
Netmon.exe: Network Monitor
Category
A limited version of Network Monitor is included in Windows Server 2003, Windows XP, and Windows 2000 operating systems. The full version of Network Monitor is included with Microsoft Systems Management Server.
Version compatibility
Network Monitor is supported for Windows Server 2003, Windows XP, and Windows 2000.
Network Monitor enables you to capture network traces which can be used in troubleshooting most network issues.
TLS/SSL Registry Entries
The following registry subkeys and entries can help you administer and troubleshoot TLS/SSL, but they apply more to Schannel SSP than TLS/SSL. They can help you verify that the required settings are applied.
The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as MMC to accomplish tasks. If you must edit the registry, use extreme caution.
CertificateMappingMethods
Registry path
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Version
Windows Server 2003
This entry does not exist in the registry by default. The default value is that all four certificate mapping methods are supported.
Ciphers
Registry path
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Version
Windows Server 2003, Windows XP, Windows 2000
This subkey controls use of symmetric algorithms.
DES 56/56
This subkey controls use of DES 56 bit algorithm.
NULL
This subkey controls use of no encryption.
RC2 128/128
This subkey controls use of RC2 128 bit algorithm.
RC2 40/128
This subkey controls use of RC2 40 bit algorithm.
RC2 56/128
This subkey controls use of RC2 56 bit algorithm.
RC4 128/128
This subkey controls use of RC4 128 bit algorithm.
RC4 40/128
This subkey controls use of RC4 40 bit algorithm.
RC4 56/128
This subkey controls use of RC4 56 bit algorithm.
Triple DES 168/168
This subkey controls use of 3DES 168 bit algorithm.
The default for these ciphers is enabled.
To disable, create the Enabled entry in the appropriate subkey. (This entry does not exist in the registry by default.) After you have created the entry, change the DWORD value to 0. When you disable any algorithm, you disallow all cipher suites that use that algorithm. To re-enable the cipher, change the DWORD value to 0xffffffff.
ClientCacheTime
Registry path
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Version
Windows Server 2003, Windows XP, Windows 2000
This entry controls the time to expire client side cache entries in milliseconds. A value of 0 turns off secure connection caching. This entry does not exist in the registry by default. The default values are:
Default Client Cache Time
| Windows Version | Time |
|---|---|
Windows NT 4.0 with Service Pack 6a |
2 minutes |
Windows NT 4.0 with Service Pack 6a and Q265369 |
60 minutes |
Windows 2000 |
2 minutes |
Windows 2000 with Service Pack 2 or greater |
10 hours |
Windows XP |
10 hours |
Windows Server 2003 |
10 hours |
Fipsalgorithmpolicy
Registry path
HKLM SYSTEM\CurrentControlSet\Control\LSA
Version
Windows Server 2003, Windows XP, Windows 2000
This entry controls FIPS compliance. The default is 0.
FIPS Cipher Suites
| Protocol Version | Key Exchange | Cipher | Hash |
|---|---|---|---|
SSL 3.0 |
RSA |
DES CBC |
SHA-1 |
SSL 3.0 |
RSA |
3DES EDE CBC |
SHA-1 |
SSL 3.0 |
RSA |
Export 1024 DES CBC |
SHA-1 |
TLS 1.0 |
RSA |
DES CBC |
SHA-1 |
TLS 1.0 |
RSA |
3DES EDE CBC |
SHA-1 |
TLS 1.0 |
RSA |
Export 1024 DES CBC |
SHA-1 |
Hashes
Registry path
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Version
Windows Server 2003, Windows XP, Windows 2000
This subkey controls use of hash algorithms.
MD5
This subkey controls use of MD5 as hashing algorithm.
SHA
This subkey controls use of SHA-1 as hashing algorithm.
The default for these ciphers is enabled.
To disable, create the Enabled entry in the appropriate subkey. (This entry does not exist in the registry by default.) After you have created the entry, change the DWORD value to 0. When you disable any algorithm, you disallow all cipher suites that use that algorithm. To re-enable the cipher, change the DWORD value to 0xffffffff.
IssuerCacheSize
Registry path
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Version
Windows Server 2003
This entry controls the size of issuer cache and is used with issuer mapping. Starting with Windows Server 2003 operating systems, Schannel attempts to map all of the issuers in the client’s certificate chain—not just the one that directly issues the client certificate. When the issuers do not map to an account which is the typical case, the server might attempt to map the same issuer name over and over, hundreds of times a second. To prevent this, Windows Server 2003 has a negative cache, so if an issuer name does not map to an account, then it is added to the cache and Schannel will not attempt to map the issuer name again until the cache entry expires. This registry entry specifies the cache size. This entry does not exist in the registry by default. The default value is 100.
IssuerCacheTime
Registry path
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Version
Windows Server 2003
This entry controls the length of cache timeout interval in milliseconds. Starting with Windows Server 2003operating systems, Schannel attempts to map all of the issuers in the client’s certificate chain—not just the one that directly issues the client certificate. In the case where the issuers do not map to an account which is the typical case, the server might attempt to map the same issuer name over and over, hundreds of times a second. To prevent this, Windows Server 2003 has a negative cache, so if an issuer name does not map to an account, then it is added to the cache and Schannel will not attempt to map the issuer name again until the cache entry expires. This cache is kept for performance reasons, so that the system does not keep trying to map the same issuers over and over. This entry does not exist in the registry by default. The default value is 10 minutes.
KeyExchangeAlgorithm
Registry path
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Version
Windows Server 2003, Windows XP, Windows 2000
This subkey controls use of key exchange algorithms.
Diffie-Hellman\Enabled
The subkey controls use of DH for key exchange.
PKCS
This subkey controls use of RSA for key exchange.
The default for these ciphers is enabled.
To disable, create the Enabled entry in the appropriate subkey. (This entry does not exist in the registry by default.) After you have created the entry, change the DWORD value to 0. When you disable any algorithm, you disallow all cipher suites that use that algorithm. To re-enable the cipher, change the DWORD value to 0xffffffff.
MaximumCacheSize
Registry path
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Version
Windows Server 2003, Windows XP, Windows 2000
This entry controls the maximum number of cache elements. Setting MaximumCacheSize to 0 disables the server-side session cache and prevents reconnects. Increasing MaximumCacheSize above the default values causes Lsass.exe to consume additional memory. Each session cache element typically requires 2-4k bytes of memory. This entry does not exist in the registry by default. The default value is 10,000 elements.
PCT 1.0
Registry path
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
Version
Windows Server 2003, Windows XP, Windows 2000
This subkey controls use of Private Communications Transport PCT.
Client
This subkey controls use of PCT on client
Server
This subkey controls use of PCT on server
To disable, create the Enabled entry in the appropriate subkey. (This entry does not exist in the registry by default.) After you have created the entry, change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 0xffffffff.
DisabledByDefault
This entry controls disabling PCT by default. This entry does not exist in the registry by default.
SendTrustedIssuerList
Registry path
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Version
Windows Server 2003
This entry controls the flag controlling sending of list of trusted issuers. In the case of servers that trust hundreds of certificate authorities for client authentication, there are too many issuers for the server to be able to send them all to the client when requesting client authentication. In this situation, this registry key can be set, and instead of sending a partial list, Schannel will not send any to the client.
Not sending a list of trusted issuers might impact what the client sends when asked for a client certificate. For example, when Internet Explorer receives a request for client authentication, it only displays the client certificates that chain up to one of the certificate authorities that is sent by the server. If the server did not send a list, then Internet Explorer displays all of the client certificates that are installed on the client machine. This behavior might be desirable, when PKI environments include cross certificates, the client and server certificates will not have the same Root CA and therefore, Internet Explorer cannot chose a certificate that chains up to on of the server’s CAs. By configuring the server to not send a trusted issuer list then Internet Explorer will send all its certificates.
This entry does not exist in the registry by default. This value is true by default.
ServerCacheTime
Registry path
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Version
Windows Server 2003, Windows XP, Windows 2000
This entry controls the time to expire server side cache entries in milliseconds. A value of 0 disables the server-side session cache and prevents reconnects. Increasing ServerCacheTime above the default values causes Lsass.exe to consume additional memory. Each session cache element typically requires 2-4k bytes of memory. This entry does not exist in the registry by default. The default values are:
Default Server Cache Time
| Windows Version | Time |
|---|---|
Windows NT 4.0 with Service Pack 6a |
2 minutes |
Windows NT 4.0 with Service Pack 6a and Q265369 |
5 minutes |
Windows 2000 |
2 minutes |
Windows 2000 with Service Pack 2 or greater |
10 hours |
Windows XP |
10 hours |
Windows Server 2003 |
10 hours |
SSL 2.0
Registry path
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
Version
Windows Server 2003, Windows XP, Windows 2000
This subkey controls use of SSL 2.0.
Client
This subkey controls use of SSL 2.0 on the client.
Server
This subkey controls use of SSL 2.0 on the server.
To disable, create the Enabled entry in the appropriate subkey. (This entry does not exist in the registry by default.) After you have created the entry, change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 0xffffffff.
DisabledByDefault
Flag to disable SSL 2.0 by default.
SSL 3.0
Registry path
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
Version
Windows Server 2003, Windows XP, Windows 2000
This subkey controls use of SSL 3.0.
Client
This subkey controls use of SSL 3.0 on client
Server
This subkey controls use of SSL 3.0 on server
To disable, create the Enabled entry in the appropriate subkey. (This entry does not exist in the registry by default.) After you have created the entry, change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 0xffffffff.
TLS 1.0
Registry path
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
Version
Windows Server 2003, Windows XP, Windows 2000
This subkey controls use of TLS 1.0.
Client
This subkey controls use of TLS 1.0 on client
Server
This subkey controls use of TLS 1.0 on server
To disable, create the Enabled entry in the appropriate subkey. (This entry does not exist in the registry by default.) After you have created the entry, change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 0xffffffff.
TLS/SSL Group Policy Settings
The following table lists and describes the Group Policy settings that are associated with Schannel.
Group Policy Settings Associated with Schannel
| Group Policy Setting | Description |
|---|---|
Security options: System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing |
Changes to this setting determine whether Schannel will only support the TLS protocol as a client (and as a server, if applicable) and only use:
Both the client and the server must support these algorithms and TLS to communicate using a secure channel application. For example, if you enable this policy setting, you will also need to configure Internet Explorer to use TLS (which is Off by default) to connect using Secure Hypertext Transfer Protocol (HTTPS) to a server with this setting. |
For more information about Group Policy settings, see the “Group Policy Settings Reference for Windows Server 2003” in Tools and Settings Collection.
Network Ports Used by Schannel
Port Assignments for Common Applications over TLS/SSL
| Service Name | TCP |
|---|---|
smtp |
25 |
https |
443 |
nntps |
563 |
ldaps |
636 |
ftps-data |
989 |
ftps |
990 |
telnets |
992 |
imaps |
993 |
pop3s |
995 |
ms-sql-s |
1433 |
mfst-gc-ssl |
3269 |
tftps |
3713 |