Discussion:
Application with HTTPS connections and IE 7 WinInet Issue.
(too old to reply)
MHEDS
2007-05-11 16:56:01 UTC
Permalink
Hi,

We have a Visual C++ application that runs as a Windows Service. The Service
runs with Local System Account
and makes HTTPS connections to a server (our own server) for downloading
files.
We use WinInet in our Service for the HTTPS communication.

The application works with no problem until we tested the application with
IE 7.
With IE 7, when we call CHttpFile :: SendRequest, the function returns 0. We
caught the error and the error number
was 12057 - ERROR_INTERNET_SEC_CERT_REV_FAILED. I ran the Fiddler tool to
verify.
What I saw was that the Service tried to make a connection to GeoTrust to
verify the Certificate returned from
the server, and fails.
This event leads me to believe that the Service for some reason can't verify
the Certificate from the server
with the Root Certificate that is already installed on the PC (comes with
IE).
I ran the Fiddler tool with PC running IE 6 and the Fiddler tool didn't show
that the Service tried
to make a connection to GeoTrust. On the PC running IE 6, the service can
verify the Certificate that is
returned from the server with the Root Certificate that installed on the PC .

Right now the work around is to change the Logon as of our Windows Service
to a valid Local User Account.
By changing the Logon as, the Service can verify the Certificate that comes
from the server with the Root Certificate
installed on the Client PC and doesn't need to make a connection to GeoTrust.

My question is, why with IE 7 WinInet.dll, the Local System Account can't
read the Root Certificate that is
installed on the PC ? It worked before with previous version of IEs.

Thank you in advanced.
Cordell Jones
2007-05-15 17:06:01 UTC
Permalink
1. Don't use WinINet in a service
2. Definitely don't use WinINet in a service running as local system!
3. Most likely the caller has not configured the proxy settings for the
service account, and the caller is behind a proxy. Without the proxy info,
WinInet can't do a proper Certificate Revocation List (CRL) check.
4. Developers wishing to do HTTP in a service should use WinHTTP.

Here is a KB on the issue.

http://support.microsoft.com/default.aspx/kb/238425

Cordell
Post by MHEDS
Hi,
We have a Visual C++ application that runs as a Windows Service. The Service
runs with Local System Account
and makes HTTPS connections to a server (our own server) for downloading
files.
We use WinInet in our Service for the HTTPS communication.
The application works with no problem until we tested the application with
IE 7.
With IE 7, when we call CHttpFile :: SendRequest, the function returns 0. We
caught the error and the error number
was 12057 - ERROR_INTERNET_SEC_CERT_REV_FAILED. I ran the Fiddler tool to
verify.
What I saw was that the Service tried to make a connection to GeoTrust to
verify the Certificate returned from
the server, and fails.
This event leads me to believe that the Service for some reason can't verify
the Certificate from the server
with the Root Certificate that is already installed on the PC (comes with
IE).
I ran the Fiddler tool with PC running IE 6 and the Fiddler tool didn't show
that the Service tried
to make a connection to GeoTrust. On the PC running IE 6, the service can
verify the Certificate that is
returned from the server with the Root Certificate that installed on the PC .
Right now the work around is to change the Logon as of our Windows Service
to a valid Local User Account.
By changing the Logon as, the Service can verify the Certificate that comes
from the server with the Root Certificate
installed on the Client PC and doesn't need to make a connection to GeoTrust.
My question is, why with IE 7 WinInet.dll, the Local System Account can't
read the Root Certificate that is
installed on the PC ? It worked before with previous version of IEs.
Thank you in advanced.
Loading...