12 Replies Latest reply: Feb 19, 2003 2:07 AM by 807573 RSS

    No Cryptographic Provider  with Internet Explorer 6

    807573
      Hi,

      We're using iPlanet Certificate Manager Server 4.7 on Win 2000AdvSrv.
      Using Web https enrollment default form (manual or directory based), installed by default.

      It used to work well until I patched my IE6 with Q323172.
      Now, I cannot list anymore the Cryptographic Provider on the enrollment form.

      If I uninstall the patch, it comes back to run normally.

      I have got the same problem if I install IE6-SP1.
      Any suggestion ?
      Thank you.
        • 1. Re: No Cryptographic Provider  with Internet Explorer 6
          807573
          Hi Jean,

          I guess its one of those inexplicaple pathes from MS.
          I guess it somehow disables the MS Windows High Encryption Pack which lists the Crypt providers.

          Plus I am also facing a problem.Have you ever tried to customize the CMS using your own plugins ,servlets etc..
          as the documention for CMS_SDK is not comprehensive .. I am facing a lot of problems understanding the internals of CMS.

          Can you through some light on this.

          ANy help would be welcomed.Thanks in advance
          Rishi
          • 2. Re: No Cryptographic Provider  with Internet Explorer 6
            807573

            Due to MS patch Q323172, all the security products are impacted.

            Sun has recently released a patch (#540435CMS47) for Certificate Server 4.7 to address this issue.

            Please contact Sun's support to obtain this patch.

            Thanks,
            Ajay Sondhi
            Engineering Manager
            Sun ONE Certificate Server
            • 3. Re: No Cryptographic Provider  with Internet Explorer 6
              807573
              I am trying to evaluate this product, and I cannot find Sun�s support contact information on the web site.

              Could someone please point me to where I can down load this patch or give me an email address or phone number to contact Sun to request this patch (#540435CMS47)

              Thanks
              • 4. Re: No Cryptographic Provider  with Internet Explorer 6
                807573
                I would like to second the request for this patch to support an evaluation of Certificate Server. Please forward information to murphjr@hushmail.com
                • 5. Re: No Cryptographic Provider  with Internet Explorer 6
                  807573
                  Hi..i want this patch too
                  please mail to aska_hsu@symphox.net

                  thank in advance..
                  • 6. Re: No Cryptographic Provider  with Internet Explorer 6
                    807573
                    Was this patch ever posted anywhere. I am also trying to evaluate the software.


                    Thanks.
                    • 7. Re: No Cryptographic Provider  with Internet Explorer 6
                      807573
                      Hello,

                      as we are also evaluating your software at the moment it would be nice to get this patch. (I couldn�t find it anywhere on your website) Without it further testing seems not possible :(
                      Please answer here ASAP or contact me at hreich@ipsi.fraunhofer.de

                      thanks in advance
                      Th. Heidenreich


                      ps: The Problem even occurs with Windows XP where no patch Q323172, is installed...
                      • 8. Re: No Cryptographic Provider  with Internet Explorer 6
                        807573
                        Hi,

                        This patch is available only throught Product Trekker ===>

                        https://iplanet.subscribenet.com/control/nscp/login

                        If you have a contract, you should have a login/password too.
                        This patch is included in the version 4.7SP1

                        If you don't have access to Product Trekker, please contact the support here ===>

                        http://www.sun.com/service/contacting/solution.html
                        • 9. Re: No Cryptographic Provider  with Internet Explorer 6
                          807573
                          Hi all,

                          I had the same problem some time ago, but finally found something that fixed it (thanks to Tony Genovese and Dhiva from doegrids.org):

                          - Microsoft Q323172 patch and newer versions of Internet Explorer activate the "kill bit" of ActiveX Control "xenroll.dll", which is the responsible of submitting certificate requests.

                          - This causes xenroll.dll to become inactive. In order to solve this, Q323172 patch and newer versions of IE provide a new "xenroll.dll" ActiveX Control.

                          - The problems appear when using this new ActiveX Control with Sun Certificate Server 4.7. The .html end-entity forms are not updated, so they can't find the newer version of "xenroll.dll".

                          - Some things to look for and change:

                          in <netscape-root>/<cert-dir>/web/ee:

                          Old (pre-patch)

                          <OBJECT
                          classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1"
                          CODEBASE="/xenroll.dll"
                          id=Enroll >
                          </OBJECT>


                          New (post-patch)

                          <OBJECT
                          classid="clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1"
                          CODEBASE="/xenroll.cab#Version=5,131,3659,0"
                          id=Enroll >
                          </OBJECT>


                          I changed this definition in most of the Man*.html files,
                          although I am only using ManUserEnroll.html at this time.

                          I also needed to change the definition in these files:

                          EnrollSuccess.template
                          ImportCert.template
                          RenewalSuccess.template
                          displayBySerial.template


                          Jaime Ferragut
                          University of the Balearic Islands
                          Spain
                          • 10. Re: No Cryptographic Provider  with Internet Explorer 6
                            807573
                            I ran into the same issue and found a partial work-around (after about 10 days of research and trial and error.)

                            The problem is that this issue is not simply a server-side problem. Updating the certificate server's xenroll.dll files and changing the class IDs in the appropriate files (manually if you have customized them as I have) only takes care of half of the problem.

                            Each client machine uses xenroll.dll and looks for its specific class ID. If a client machine has not been updated but the server has, you will not receive an error - you simply will not get any cryptographic providers in the enrollment forms drop-down list.

                            For client OS's that automatically update, like Windows ME and XP, chances are the changes have already been applied and you will not have an issue.

                            Our primary problem has been with the Windows 2000 clients. The only solution we've been able to devise is to manually alter the enrollment forms to redirect users to a Help Page when there are no cryptographic providers present. This can best be accomplished in the FindProviders Providers VBscript function that populates the enrollment form.

                            Not the most elegant solution, but not a minor SNAFU on Microsoft's part either...
                            • 11. Re: No Cryptographic Provider  with Internet Explorer 6
                              807573
                              "...Each client machine uses xenroll.dll and looks for its specific class ID. If a client machine has not been updated but the server has, you will not receive an error - you simply will not get any cryptographic providers in the enrollment forms drop-down list."
                              You're quite correct. We solved this problem by adding a message in the HTML form telling the user that if the cryptographic providers list is empty, he has to install the famous Q323172 hotfix (we also added a link for downloading the patch).

                              Not the most elegant solution, too :)
                              • 12. Re: No Cryptographic Provider  with Internet Explorer 6
                                807573
                                Well,

                                <OBJECT classid="clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1" id="IControl1"><height="0"></OBJECT>
                                <OBJECT classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1" id="IControl2"><height="0"></OBJECT>

                                Function GetIControl

                                On Error resume next
                                Dim IControl

                                Set IControl = Null

                                ' clear error queue
                                err.Number = 0

                                ' Test the latest control to see if it loaded.
                                provider = IControl1.enumProviders(0,0)
                                if err.Number = 0 then
                                ' Yes it did.
                                Set IControl = IControl1
                                else
                                ' The new control did not load. Try the old one...
                                err.Number = 0
                                provider = IControl2.enumProviders(0,0)
                                if err.Number = 0 then
                                Set IControl = IControl2
                                end if
                                end if

                                Set GetIControl = IControl

                                End Function