SSL URL request test and W2K3 SP1

[rdol]

Hi,
currently we use latest non-beta Hostmon v. 5.38 started as a service under Local System account. We also configured domain account for service impersonation in Hostmon configuration.

We applied SP1 on W2K3-based hostmon server yesterday. All test (including tests executed by Hostmon agents in separate DMZs) are ok, except of URL requests on SSL protected pages.

I have spent many hours by investigating this, there are results here:
- we do not use proxy, there is no problem with our company firewall
- https://sslnt.iol.cz is accessible from web browser on our hostmon server
- URL test is OK if I run Hostmon in an application mode
- URL test is Not found if I run Hostmon as a service under Local System
- URL test is OK if I run Hostmon as a service under my domain admin account

It seems that temporary solution is to run Hostmon under domain admin account. The problem is that this service is not manageable - I do not see any icon at systray when I am connected to TS console. Yes, I can try to install beta and use RCC, unfortunately I do not like beta versions on my production servers.

Did anybody solve this issue?

Regards

Radek Dolezel

[KS-Soft]

[rdol]

Sorry, status is really "No answer".

[1.11.2005 11:41:36] sslnt.iol.cz HTTPS get No answer URL request

I have specified domain admin account on Options->Startup->Service. This is necessary because I have some tests tested by Hostmonitor. And I need to impersonate service running under Local System to be able to access remote servers in the same domain. Is this correct? I believe so.

The problem appeared after W2K3SP1 installation and only with SSL based URL requests tested by Hostmonitor if hostmon service started under Local System account.

It seems SP1 denies Local System to do something, maybe working with server certificates. Is there anybody who uses the same configuration (service started under Local System on W2K3SP1) and can create an URL request to some https:// page? I would like to know if it is general problem or it is only my problem. You can try https://sslnt.iol.cz/, server certificate is signed by Thawte.

Regards

Radek

[KS-Soft]

[rdol]

I solved it! I bet you use Internet Explorer objects for URL request test.

My hostmon server is placed in a secure DMZ and cannot initiate any internet connection except of set allowed on firewalls (ISA 2004 and Cisco PIX).

I found that Microsoft changed default behaviour for checking server certificate revocation in W2K3 SP1 Internet Explorer. Before SP1 the default was not to check. After SP1 the default is to check. In GUI you can find it in Internet Explorer menu Tools->Internet Options...->Advanced->Check for server certificate revocation (requires restart).

My hostmon server was not able to download CA CRL file via http. The result was a little bit magic No answer.

It was easy to revert it back to pre-SP1 configuration. I created one registry key. Hostmon service now runs under Local System. And the SSL tests are faster because they do not download and parse CA CRL files.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"CertificateRevocation"=dword:00000000

Implicitly it is "CertificateRevocation"=dword:00000001

Regards

Radek

From MS pages:
"Server Certificate Revocation
Internet Explorer 6 includes support for server certificate revocation, which verifies that an issuing CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions are present. If the URL for the revocation information is unresponsive, Internet Explorer cancels the connection."

[KS-Soft]