Users can't access secure websites with windows 2000....

Hello Experts!

I'm having some trouble with internet explorer. Basically, what is happening is that for sites with SSL (https://) I'm getting a "page cannot be displayed' error with windows 2000.

All other websites work fine. And I suspect that this is some kind of permissions issues because the same site works when IE is run as administrator on the very same machine.

I've tried various things...deleting internet history, deleting SSL certificates from within Internet Explorer. Another hint is that recently I completed an unorthodox active directory domain migration -that is, I took the old domain out before migrating the users to the new domain and I didn't use any tools to migrate the users (like ADMT).

So, the question is how do I allow my users to access secure sites?


-neo
LVL 6
neomage23Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Asta CuTechnical consultant & graphic designCommented:
How current are they and Windows with WindowsUpdate both for Windows 2000 and IE?

Any Firewalls involved?  Tried setting IE to the defaults to test?  
0
Asta CuTechnical consultant & graphic designCommented:
You receive a "Page cannot be displayed" error message when you try to access a site by using HTTPS
http://support.microsoft.com/default.aspx?scid=kb;en-us;824035

Internet Explorer 6 Update: Page Cannot Be Displayed Error During SSL 3.0 Server Session Timeout
This update fixes an issue when Internet Explorer 6 tries to POST data, GET data or set up an HTTPS connection with the connect command, Internet Explorer generates an error message that indicates that the page could not be displayed.
http://www.microsoft.com/downloads/details.aspx?FamilyID=2d7b2f19-0d79-43e1-9b0b-671c7e5e33d8&displaylang=en

0
Asta CuTechnical consultant & graphic designCommented:
http://www.microsoft.com/downloads/details.aspx?FamilyID=6f7244df-3bd7-48b3-a19e-3dcadf913045&displaylang=en
Page Cannot Be Displayed Error During SSL 3.0 Server Session Timeout
http://support.microsoft.com/default.aspx?scid=kb;en-us;305217
and many other possibilities here....
http://search.microsoft.com/search/results.aspx?st=b&na=88&View=en-us&qu=windows+2000+https+page+cannot+be+displayed

Will check back in the morning when time permits to see if this has helped you or if more is needed.

Best wishes,
":0) Asta
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

neomage23Author Commented:
asta...

Thanks for trying but your links aren't providing help. :(

I've abandoned this question in favor of a question that i think describes the problem better....

http://www.experts-exchange.com/Security/Win_Security/Q_21200206.html

-neomage
0
Asta CuTechnical consultant & graphic designCommented:
Sorry it didn't help, wish I had more time; swamped and up to my earlobes in issues and just recovering from a 2 month injury so somewhat "diminished".  I sure do hope that the solution is found for you.  I'll check back when things settle down a bit and keep my thinking cap on.  Asta
0
Asta CuTechnical consultant & graphic designCommented:
Creating new Users doesn't help?
0
neomage23Author Commented:
Asta...

The users are actually new, this is new domain...the trouble is with the profile and SSL certificates. When I manually copied over the old profile, I had no idea what was involved as far as the registry, and as far as certificates.

The answer to your question is "yes" if PersonA @ ComputerA  logs on as PersonA @ COmputerB then there isn't an issue with accessing secure sites, BUT they don't have thier profile available either.

The trouble happens when I copy the old profile and the old registry settings...suddenly the certificates become invalid AND WHAT"S WORSE is that the user loses all ability to interface with the Certificate Store. They can't create new private keys, etc. I believe that the solution is there with the certificate store. If I could alter access to the store then I could fix the problem.

I ended up contact microsoft about the issue.

0
Asta CuTechnical consultant & graphic designCommented:
Thanks, Neo.  I can't believe the Certificate settings can't be migrated, but then, you'd know best from your awful experiences; and hope that MS gets you what you need quickly.  Shall I request a PAQ Refund for you, or do you want to do this directly here?  

http://www.experts-exchange.com/Community_Support/askQuestion.jsp

If you'd like, I could try a bit more research, though I suspect you've done all that already.

Best wishes on your pursuit, Neo.

":0) Asta
0
Asta CuTechnical consultant & graphic designCommented:
Before I saw your last response, got excited when I saw this and thought it might shed some light, though O2003 related; but saw it as hopeful.
Outlook 2003 continues to use old certificates after you migrate from Key Management Server to Public Key Infrastructure
http://support.microsoft.com/default.aspx?scid=kb;en-us;822504
Deploying Internet Information Services (IIS) 6.0
 Export a Server Certificate
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/all/deployguide/en-us/iisdg_dep_wlac.asp
0
neomage23Author Commented:
Closer...but still not enough...

I tried to export then import the Certificates...but the user still can't access the store.

I'll let you know what MS say, and leave the question open so I can post the answer here. Then, I'll refund.

-neo
0
Asta CuTechnical consultant & graphic designCommented:
Sounds good, -neo.  
0
Asta CuTechnical consultant & graphic designCommented:
Although this is not directly related to your situation; may be somewhat a player in all of this due to the problems group policy settings and migrations ....  this was related to another issue, but was a surprise to me and thought "maybe".
In Group Policy Editor, when you modify the Internet Explorer Maintenance policy by selecting Import The Current Connection Settings, Import The Current Security Zones Settings, Import the Current Content Ratings Settings, or Import Current Authenticode Security Information your current settings may seem to have been changed or lost.
http://support.microsoft.com/default.aspx?scid=kb;en-us;277558
The "Security Zones: Use Only Machine" Group Policy Setting Does Not Apply to Privacy (Cookie) Settings
http://support.microsoft.com/default.aspx?scid=kb;en-us;825684
0
neomage23Author Commented:
Asta!

I ended up contacting Microsoft support and I stumped even them for three days. It was $99 for the support ticket, but beat the tech to the solution so I got my money refunded.

Here is the solution for anyone reading this:

IF (if and only if) you try to do a manual domain migration of user profiles and you do not use the tools provided by MS (like Active Directory Migration Tool, or Profiles in System Properties BEFORE the migration) ....

AND afterwards you are having problems with permissions, access, or certificates, then:

1. Reboot the computer
2. Log on as Administrator
3. Load the users' NTUSER.DAT Hive into the registry.
4. Go to the permissions...
5. Make sure the user is in there with full control
6. Click advanced, and select the user
7. Click "Replace Permissions"

Once the permissions are replaced everything works out just fine.


-neo
0
Asta CuTechnical consultant & graphic designCommented:
-neo  -->  YAY!  Brilliant, thanks for sharing the detailed solution.  Thrilled you got the $99 back as well.  Just request a Refund/PAQ here....
http://www.experts-exchange.com/Community_Support/askQuestion.jsp

This will likely be invaluable to others as well.

Best wishes to you; sorry I couldn't help you with this directly.
":0) Asta
0
moduloCommented:
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.