Users can't access secure websites with windows 2000....
Hello Experts!
I'm having some trouble with internet explorer. Basically, what is happening is that for sites with SSL (https://) I'm getting a "page cannot be displayed' error with windows 2000.
All other websites work fine. And I suspect that this is some kind of permissions issues because the same site works when IE is run as administrator on the very same machine.
I've tried various things...deleting internet history, deleting SSL certificates from within Internet Explorer. Another hint is that recently I completed an unorthodox active directory domain migration -that is, I took the old domain out before migrating the users to the new domain and I didn't use any tools to migrate the users (like ADMT).
So, the question is how do I allow my users to access secure sites?
-neo
I'm having some trouble with internet explorer. Basically, what is happening is that for sites with SSL (https://) I'm getting a "page cannot be displayed' error with windows 2000.
All other websites work fine. And I suspect that this is some kind of permissions issues because the same site works when IE is run as administrator on the very same machine.
I've tried various things...deleting internet history, deleting SSL certificates from within Internet Explorer. Another hint is that recently I completed an unorthodox active directory domain migration -that is, I took the old domain out before migrating the users to the new domain and I didn't use any tools to migrate the users (like ADMT).
So, the question is how do I allow my users to access secure sites?
-neo
You receive a "Page cannot be displayed" error message when you try to access a site by using HTTPS
http://support.microsoft.com/default.aspx?scid=kb;en-us;824035
Internet Explorer 6 Update: Page Cannot Be Displayed Error During SSL 3.0 Server Session Timeout
This update fixes an issue when Internet Explorer 6 tries to POST data, GET data or set up an HTTPS connection with the connect command, Internet Explorer generates an error message that indicates that the page could not be displayed.
http://www.microsoft.com/downloads/details.aspx?FamilyID=2d7b2f19-0d79-43e1-9b0b-671c7e5e33d8&displaylang=en
http://support.microsoft.com/default.aspx?scid=kb;en-us;824035
Internet Explorer 6 Update: Page Cannot Be Displayed Error During SSL 3.0 Server Session Timeout
This update fixes an issue when Internet Explorer 6 tries to POST data, GET data or set up an HTTPS connection with the connect command, Internet Explorer generates an error message that indicates that the page could not be displayed.
http://www.microsoft.com/downloads/details.aspx?FamilyID=2d7b2f19-0d79-43e1-9b0b-671c7e5e33d8&displaylang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=6f7244df-3bd7-48b3-a19e-3dcadf913045&displaylang=en
Page Cannot Be Displayed Error During SSL 3.0 Server Session Timeout
http://support.microsoft.com/default.aspx?scid=kb;en-us;305217
and many other possibilities here....
http://search.microsoft.com/search/results.aspx?st=b&na=88&View=en-us&qu=windows+2000+https+page+cannot+be+displayed
Will check back in the morning when time permits to see if this has helped you or if more is needed.
Best wishes,
":0) Asta
Page Cannot Be Displayed Error During SSL 3.0 Server Session Timeout
http://support.microsoft.com/default.aspx?scid=kb;en-us;305217
and many other possibilities here....
http://search.microsoft.com/search/results.aspx?st=b&na=88&View=en-us&qu=windows+2000+https+page+cannot+be+displayed
Will check back in the morning when time permits to see if this has helped you or if more is needed.
Best wishes,
":0) Asta
ASKER
asta...
Thanks for trying but your links aren't providing help. :(
I've abandoned this question in favor of a question that i think describes the problem better....
https://www.experts-exchange.com/questions/21200206/More-weird-security-issues-after-manual-domain-migration.html
-neomage
Thanks for trying but your links aren't providing help. :(
I've abandoned this question in favor of a question that i think describes the problem better....
https://www.experts-exchange.com/questions/21200206/More-weird-security-issues-after-manual-domain-migration.html
-neomage
Sorry it didn't help, wish I had more time; swamped and up to my earlobes in issues and just recovering from a 2 month injury so somewhat "diminished". I sure do hope that the solution is found for you. I'll check back when things settle down a bit and keep my thinking cap on. Asta
Creating new Users doesn't help?
ASKER
Asta...
The users are actually new, this is new domain...the trouble is with the profile and SSL certificates. When I manually copied over the old profile, I had no idea what was involved as far as the registry, and as far as certificates.
The answer to your question is "yes" if PersonA @ ComputerA logs on as PersonA @ COmputerB then there isn't an issue with accessing secure sites, BUT they don't have thier profile available either.
The trouble happens when I copy the old profile and the old registry settings...suddenly the certificates become invalid AND WHAT"S WORSE is that the user loses all ability to interface with the Certificate Store. They can't create new private keys, etc. I believe that the solution is there with the certificate store. If I could alter access to the store then I could fix the problem.
I ended up contact microsoft about the issue.
The users are actually new, this is new domain...the trouble is with the profile and SSL certificates. When I manually copied over the old profile, I had no idea what was involved as far as the registry, and as far as certificates.
The answer to your question is "yes" if PersonA @ ComputerA logs on as PersonA @ COmputerB then there isn't an issue with accessing secure sites, BUT they don't have thier profile available either.
The trouble happens when I copy the old profile and the old registry settings...suddenly the certificates become invalid AND WHAT"S WORSE is that the user loses all ability to interface with the Certificate Store. They can't create new private keys, etc. I believe that the solution is there with the certificate store. If I could alter access to the store then I could fix the problem.
I ended up contact microsoft about the issue.
Thanks, Neo. I can't believe the Certificate settings can't be migrated, but then, you'd know best from your awful experiences; and hope that MS gets you what you need quickly. Shall I request a PAQ Refund for you, or do you want to do this directly here?
https://www.experts-exchange.com/Community_Support/askQuestion.jsp
If you'd like, I could try a bit more research, though I suspect you've done all that already.
Best wishes on your pursuit, Neo.
":0) Asta
https://www.experts-exchange.com/Community_Support/askQuestion.jsp
If you'd like, I could try a bit more research, though I suspect you've done all that already.
Best wishes on your pursuit, Neo.
":0) Asta
Before I saw your last response, got excited when I saw this and thought it might shed some light, though O2003 related; but saw it as hopeful.
Outlook 2003 continues to use old certificates after you migrate from Key Management Server to Public Key Infrastructure
http://support.microsoft.com/default.aspx?scid=kb;en-us;822504
Deploying Internet Information Services (IIS) 6.0
Export a Server Certificate
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/all/deployguide/en-us/iisdg_dep_wlac.asp
Outlook 2003 continues to use old certificates after you migrate from Key Management Server to Public Key Infrastructure
http://support.microsoft.com/default.aspx?scid=kb;en-us;822504
Deploying Internet Information Services (IIS) 6.0
Export a Server Certificate
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/all/deployguide/en-us/iisdg_dep_wlac.asp
ASKER
Closer...but still not enough...
I tried to export then import the Certificates...but the user still can't access the store.
I'll let you know what MS say, and leave the question open so I can post the answer here. Then, I'll refund.
-neo
I tried to export then import the Certificates...but the user still can't access the store.
I'll let you know what MS say, and leave the question open so I can post the answer here. Then, I'll refund.
-neo
Sounds good, -neo.
Although this is not directly related to your situation; may be somewhat a player in all of this due to the problems group policy settings and migrations .... this was related to another issue, but was a surprise to me and thought "maybe".
In Group Policy Editor, when you modify the Internet Explorer Maintenance policy by selecting Import The Current Connection Settings, Import The Current Security Zones Settings, Import the Current Content Ratings Settings, or Import Current Authenticode Security Information your current settings may seem to have been changed or lost.
http://support.microsoft.com/default.aspx?scid=kb;en-us;277558
The "Security Zones: Use Only Machine" Group Policy Setting Does Not Apply to Privacy (Cookie) Settings
http://support.microsoft.com/default.aspx?scid=kb;en-us;825684
In Group Policy Editor, when you modify the Internet Explorer Maintenance policy by selecting Import The Current Connection Settings, Import The Current Security Zones Settings, Import the Current Content Ratings Settings, or Import Current Authenticode Security Information your current settings may seem to have been changed or lost.
http://support.microsoft.com/default.aspx?scid=kb;en-us;277558
The "Security Zones: Use Only Machine" Group Policy Setting Does Not Apply to Privacy (Cookie) Settings
http://support.microsoft.com/default.aspx?scid=kb;en-us;825684
ASKER
Asta!
I ended up contacting Microsoft support and I stumped even them for three days. It was $99 for the support ticket, but beat the tech to the solution so I got my money refunded.
Here is the solution for anyone reading this:
IF (if and only if) you try to do a manual domain migration of user profiles and you do not use the tools provided by MS (like Active Directory Migration Tool, or Profiles in System Properties BEFORE the migration) ....
AND afterwards you are having problems with permissions, access, or certificates, then:
1. Reboot the computer
2. Log on as Administrator
3. Load the users' NTUSER.DAT Hive into the registry.
4. Go to the permissions...
5. Make sure the user is in there with full control
6. Click advanced, and select the user
7. Click "Replace Permissions"
Once the permissions are replaced everything works out just fine.
-neo
I ended up contacting Microsoft support and I stumped even them for three days. It was $99 for the support ticket, but beat the tech to the solution so I got my money refunded.
Here is the solution for anyone reading this:
IF (if and only if) you try to do a manual domain migration of user profiles and you do not use the tools provided by MS (like Active Directory Migration Tool, or Profiles in System Properties BEFORE the migration) ....
AND afterwards you are having problems with permissions, access, or certificates, then:
1. Reboot the computer
2. Log on as Administrator
3. Load the users' NTUSER.DAT Hive into the registry.
4. Go to the permissions...
5. Make sure the user is in there with full control
6. Click advanced, and select the user
7. Click "Replace Permissions"
Once the permissions are replaced everything works out just fine.
-neo
-neo --> YAY! Brilliant, thanks for sharing the detailed solution. Thrilled you got the $99 back as well. Just request a Refund/PAQ here....
https://www.experts-exchange.com/Community_Support/askQuestion.jsp
This will likely be invaluable to others as well.
Best wishes to you; sorry I couldn't help you with this directly.
":0) Asta
https://www.experts-exchange.com/Community_Support/askQuestion.jsp
This will likely be invaluable to others as well.
Best wishes to you; sorry I couldn't help you with this directly.
":0) Asta
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Any Firewalls involved? Tried setting IE to the defaults to test?