[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Users can't access secure websites with windows 2000....

Posted on 2004-11-08
16
Medium Priority
?
237 Views
Last Modified: 2008-03-06
Hello Experts!

I'm having some trouble with internet explorer. Basically, what is happening is that for sites with SSL (https://) I'm getting a "page cannot be displayed' error with windows 2000.

All other websites work fine. And I suspect that this is some kind of permissions issues because the same site works when IE is run as administrator on the very same machine.

I've tried various things...deleting internet history, deleting SSL certificates from within Internet Explorer. Another hint is that recently I completed an unorthodox active directory domain migration -that is, I took the old domain out before migrating the users to the new domain and I didn't use any tools to migrate the users (like ADMT).

So, the question is how do I allow my users to access secure sites?


-neo
0
Comment
Question by:neomage23
  • 10
  • 4
15 Comments
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12529829
How current are they and Windows with WindowsUpdate both for Windows 2000 and IE?

Any Firewalls involved?  Tried setting IE to the defaults to test?  
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12529841
You receive a "Page cannot be displayed" error message when you try to access a site by using HTTPS
http://support.microsoft.com/default.aspx?scid=kb;en-us;824035

Internet Explorer 6 Update: Page Cannot Be Displayed Error During SSL 3.0 Server Session Timeout
This update fixes an issue when Internet Explorer 6 tries to POST data, GET data or set up an HTTPS connection with the connect command, Internet Explorer generates an error message that indicates that the page could not be displayed.
http://www.microsoft.com/downloads/details.aspx?FamilyID=2d7b2f19-0d79-43e1-9b0b-671c7e5e33d8&displaylang=en

0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12529851
http://www.microsoft.com/downloads/details.aspx?FamilyID=6f7244df-3bd7-48b3-a19e-3dcadf913045&displaylang=en
Page Cannot Be Displayed Error During SSL 3.0 Server Session Timeout
http://support.microsoft.com/default.aspx?scid=kb;en-us;305217
and many other possibilities here....
http://search.microsoft.com/search/results.aspx?st=b&na=88&View=en-us&qu=windows+2000+https+page+cannot+be+displayed

Will check back in the morning when time permits to see if this has helped you or if more is needed.

Best wishes,
":0) Asta
0
Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

 
LVL 6

Author Comment

by:neomage23
ID: 12535084
asta...

Thanks for trying but your links aren't providing help. :(

I've abandoned this question in favor of a question that i think describes the problem better....

http://www.experts-exchange.com/Security/Win_Security/Q_21200206.html

-neomage
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12539939
Sorry it didn't help, wish I had more time; swamped and up to my earlobes in issues and just recovering from a 2 month injury so somewhat "diminished".  I sure do hope that the solution is found for you.  I'll check back when things settle down a bit and keep my thinking cap on.  Asta
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12539962
Creating new Users doesn't help?
0
 
LVL 6

Author Comment

by:neomage23
ID: 12540097
Asta...

The users are actually new, this is new domain...the trouble is with the profile and SSL certificates. When I manually copied over the old profile, I had no idea what was involved as far as the registry, and as far as certificates.

The answer to your question is "yes" if PersonA @ ComputerA  logs on as PersonA @ COmputerB then there isn't an issue with accessing secure sites, BUT they don't have thier profile available either.

The trouble happens when I copy the old profile and the old registry settings...suddenly the certificates become invalid AND WHAT"S WORSE is that the user loses all ability to interface with the Certificate Store. They can't create new private keys, etc. I believe that the solution is there with the certificate store. If I could alter access to the store then I could fix the problem.

I ended up contact microsoft about the issue.

0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12540238
Thanks, Neo.  I can't believe the Certificate settings can't be migrated, but then, you'd know best from your awful experiences; and hope that MS gets you what you need quickly.  Shall I request a PAQ Refund for you, or do you want to do this directly here?  

http://www.experts-exchange.com/Community_Support/askQuestion.jsp

If you'd like, I could try a bit more research, though I suspect you've done all that already.

Best wishes on your pursuit, Neo.

":0) Asta
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12540263
Before I saw your last response, got excited when I saw this and thought it might shed some light, though O2003 related; but saw it as hopeful.
Outlook 2003 continues to use old certificates after you migrate from Key Management Server to Public Key Infrastructure
http://support.microsoft.com/default.aspx?scid=kb;en-us;822504
Deploying Internet Information Services (IIS) 6.0
 Export a Server Certificate
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/all/deployguide/en-us/iisdg_dep_wlac.asp
0
 
LVL 6

Author Comment

by:neomage23
ID: 12541639
Closer...but still not enough...

I tried to export then import the Certificates...but the user still can't access the store.

I'll let you know what MS say, and leave the question open so I can post the answer here. Then, I'll refund.

-neo
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12544064
Sounds good, -neo.  
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12545313
Although this is not directly related to your situation; may be somewhat a player in all of this due to the problems group policy settings and migrations ....  this was related to another issue, but was a surprise to me and thought "maybe".
In Group Policy Editor, when you modify the Internet Explorer Maintenance policy by selecting Import The Current Connection Settings, Import The Current Security Zones Settings, Import the Current Content Ratings Settings, or Import Current Authenticode Security Information your current settings may seem to have been changed or lost.
http://support.microsoft.com/default.aspx?scid=kb;en-us;277558
The "Security Zones: Use Only Machine" Group Policy Setting Does Not Apply to Privacy (Cookie) Settings
http://support.microsoft.com/default.aspx?scid=kb;en-us;825684
0
 
LVL 6

Author Comment

by:neomage23
ID: 12619357
Asta!

I ended up contacting Microsoft support and I stumped even them for three days. It was $99 for the support ticket, but beat the tech to the solution so I got my money refunded.

Here is the solution for anyone reading this:

IF (if and only if) you try to do a manual domain migration of user profiles and you do not use the tools provided by MS (like Active Directory Migration Tool, or Profiles in System Properties BEFORE the migration) ....

AND afterwards you are having problems with permissions, access, or certificates, then:

1. Reboot the computer
2. Log on as Administrator
3. Load the users' NTUSER.DAT Hive into the registry.
4. Go to the permissions...
5. Make sure the user is in there with full control
6. Click advanced, and select the user
7. Click "Replace Permissions"

Once the permissions are replaced everything works out just fine.


-neo
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12626263
-neo  -->  YAY!  Brilliant, thanks for sharing the detailed solution.  Thrilled you got the $99 back as well.  Just request a Refund/PAQ here....
http://www.experts-exchange.com/Community_Support/askQuestion.jsp

This will likely be invaluable to others as well.

Best wishes to you; sorry I couldn't help you with this directly.
":0) Asta
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12857602
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Bada platform is becoming more and more famous this days and people talking about same. Some friends included those who have bada OS mobile asked me "what is bada?"and "what its features?". That encouraged me to research and write this article. [st…
#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…
Suggested Courses
Course of the Month18 days, 15 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question