problem: SSL certificate associated with website in IIS changes upon reboot

Hi Folks,

We have a Dell Powervault 745N running Windows 2003 standard, SP1. We
have generated and installed an SSL certificate from rapidssl
(geotrust) in IIS and it works ok.

However, upon reboot, when we check the IIS certificate settings in the
virtual directory, we can see that IIS is once again using the old,
machine certificate.

Restarting IIS does not cause the behaviour - only a reboot. I checked
the publicly-signed CA in the machines certificate manager and it looks
ok. No error messages in the event log either. I can't find any mention
of this specific problem on any newsgroups or related websites.

The IIS metabase is working ok otherwise - does not appear to be
corrupt as other settings I change seem to stay as part of the config.

Weird. Any ideas?

tx, Sasha

Re: problem: SSL certificate associated with website in IIS changes upon reboot

Can you shutdown IIS, and verify in the metabase.xml file that the correct
certificate is there?

I believe that the SSLCertHash property in the metabase should match the
Thumbprint attribute of the certificate in question. If that's set/saved
correctly into the metabase, then something must be changing it on startup.
You can enable metabase auditing to help you track that down:

Alternatively, if the value is not correct, then perhaps the changes in the
IIS Manager are not being persisted to the actual on-disk metabase (only to
the in-memory copy), and that's a different problem we need to tackle :-)
http://www.adopenstatic.com/faq/IISMetabaseAuditing.aspx

Cheers
Ken


"Sasha" wrote in message
news:1141870199.250262.97080@v46g2000cwv.googlegroups.com...
: Hi Folks,
:
: We have a Dell Powervault 745N running Windows 2003 standard, SP1. We
: have generated and installed an SSL certificate from rapidssl
: (geotrust) in IIS and it works ok.
:
: However, upon reboot, when we check the IIS certificate settings in the
: virtual directory, we can see that IIS is once again using the old,
: machine certificate.
:
: Restarting IIS does not cause the behaviour - only a reboot. I checked
: the publicly-signed CA in the machines certificate manager and it looks
: ok. No error messages in the event log either. I can't find any mention
: of this specific problem on any newsgroups or related websites.
:
: The IIS metabase is working ok otherwise - does not appear to be
: corrupt as other settings I change seem to stay as part of the config.
:
: Weird. Any ideas?
:
: tx, Sasha
:

Re: problem: SSL certificate associated with website in IIS changes upon reboot

Great tips!

I checked the SSLcerthash in the metabase before rebooting and the
value in the metabase file matched the value in the SSL certificate. I
enabled auditing per your instructions and sure enough, after the
reboot, there is a security event logged noting the value has changed.
Now that we have confirmed the value is being changed on boot, what is
the next step?

Caller PID 2776 does not appear in the process list in task manager
after the server has completed startup. AFAIK taskcord.exe the server
appliance task coordinator...assuming it handles startup tasks of some
sort.

------------------------------------------------------------ -------------------------------
Primary User Name: SYSTEM
Primary User Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E7)
Path: /LM/W3SVC/6633
Property ID: 5506
Property Name: SSLCertHash
Old Value:
84 37 c2 d0 61 24 7f 47 67 f7 24 84 b9 1e fe 13
4b a8 a6 66
New Value:
d7 48 f1 ba 6b af 64 27 fc cd 54 2e 0c 4e 59 b9
4b ff 6b 6f
Caller PID: 2776
Caller Image Path:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume1\WIN DOWS\system32\ServerAppliance\taskcord.exe
Result: 0x0

Re: problem: SSL certificate associated with website in IIS changes upon reboot

Hi,

OK, we seem to be making some progress here. You probably won't see the PID
in the process list, as I suspect that this exe runs at startup, does
various tasks and then quits when done. Also, this .exe doesn't appear in
standard Win2k3 - only it seems in certain Win2k3 builds (such as storage
server I suspect).

I found some info here that might match taskcord.exe:
http://msdn.microsoft.com/library/default.asp?url=/library/e n-us/sakSDK/sak_server_appliance_tasks.asp

If you go to the web interface, do you see any tasks defined that might be
changing the SSL cert?

Otherwise, if you have look in the registry under:
HKLM\Software\Microsoft\ServerAppliance\ApplianceManager\Obj ectManagers\Microsoft_SA_Task\
(if that key exists), do you see anything incriminating there?

Cheers
Ken


"Sasha" wrote in message
news:1142024973.501255.201350@j33g2000cwa.googlegroups.com.. .
: Great tips!
:
: I checked the SSLcerthash in the metabase before rebooting and the
: value in the metabase file matched the value in the SSL certificate. I
: enabled auditing per your instructions and sure enough, after the
: reboot, there is a security event logged noting the value has changed.
: Now that we have confirmed the value is being changed on boot, what is
: the next step?
:
: Caller PID 2776 does not appear in the process list in task manager
: after the server has completed startup. AFAIK taskcord.exe the server
: appliance task coordinator...assuming it handles startup tasks of some
: sort.
:
: ------------------------------------------------------------ -------------------------------
: Primary User Name: SYSTEM
: Primary User Domain: NT AUTHORITY
: Primary Logon ID: (0x0,0x3E7)
: Path: /LM/W3SVC/6633
: Property ID: 5506
: Property Name: SSLCertHash
: Old Value:
: 84 37 c2 d0 61 24 7f 47 67 f7 24 84 b9 1e fe 13
: 4b a8 a6 66
: New Value:
: d7 48 f1 ba 6b af 64 27 fc cd 54 2e 0c 4e 59 b9
: 4b ff 6b 6f
: Caller PID: 2776
: Caller Image Path:
:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume1\WIN DOWS\system32\ServerAppliance\taskcord.exe
: Result: 0x0
:

Re: problem: SSL certificate associated with website in IIS changes upon reboot

Thanks for the suggestion.

There are no tasks in the web interface (there used to be one listed,
but it disappeared after I installed the third-party cert a while
back).

I took a look in the regkey you suggested and found an entry called
"SelfSignCert.SelfSignCert.1" under the ApplianceInitializationTask
subkey. I removed it, rebooted, but still have the same issue. Here is
a dump of that Microsoft_SA_Task regkey.

------------------------------------------------------------ ---------------------------------

Key Name:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerAppliance\Applia nceManager\ObjectManagers\Microsoft_SA_Task
Class Name:
Last Write Time: 1/22/2006 - 10:55 AM
Value 0
Name:
Type: REG_SZ
Data:


Key Name:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerAppliance\Applia nceManager\ObjectManagers\Microsoft_SA_Task\ApplianceInitial izationTask
Class Name:
Last Write Time: 3/14/2006 - 3:27 AM
Value 0
Name: CanDisable
Type: REG_DWORD
Data: 0

Value 1
Name: IsEnabled
Type: REG_DWORD
Data: 0x1

Value 2
Name: TaskName
Type: REG_SZ
Data: ApplianceInitializationTask

Value 3
Name: TaskExecutables
Type: REG_SZ
Data: ServerAppliance.SAGenTask.1 SetDateTime.DateTime.1
SetAlertEmail.AlertEmail.1 ServerAppliance.SAAlertBootTask.1


Key Name:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerAppliance\Applia nceManager\ObjectManagers\Microsoft_SA_Task\ApplianceShutdow nTask
Class Name:
Last Write Time: 1/22/2006 - 10:55 AM
Value 0
Name: CanDisable
Type: REG_DWORD
Data: 0

Value 1
Name: IsEnabled
Type: REG_DWORD
Data: 0x1

Value 2
Name: TaskExecutables
Type: REG_SZ
Data: ServerAppliance.SAShutdownTask.1

Value 3
Name: TaskName
Type: REG_SZ
Data: ApplianceShutdownTask


Key Name:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerAppliance\Applia nceManager\ObjectManagers\Microsoft_SA_Task\ChangeLanguage
Class Name:
Last Write Time: 1/22/2006 - 10:55 AM
Value 0
Name: CanDisable
Type: REG_DWORD
Data: 0

Value 1
Name: IsEnabled
Type: REG_DWORD
Data: 0x1

Value 2
Name: TaskExecutables
Type: REG_SZ
Data: ServerAppliance.LocalizationManagerTasks.1

Value 3
Name: TaskName
Type: REG_SZ
Data: ChangeLanguage


Key Name:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerAppliance\Applia nceManager\ObjectManagers\Microsoft_SA_Task\EveryBootTask
Class Name:
Last Write Time: 1/22/2006 - 10:55 AM
Value 0
Name: CanDisable
Type: REG_DWORD
Data: 0

Value 1
Name: IsEnabled
Type: REG_DWORD
Data: 0x1

Value 2
Name: TaskExecutables
Type: REG_SZ
Data:

Value 3
Name: TaskName
Type: REG_SZ
Data: EveryBootTask


Key Name:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerAppliance\Applia nceManager\ObjectManagers\Microsoft_SA_Task\FirstBootTask
Class Name:
Last Write Time: 1/22/2006 - 10:55 AM
Value 0
Name: CanDisable
Type: REG_DWORD
Data: 0

Value 1
Name: IsEnabled
Type: REG_DWORD
Data: 0x1

Value 2
Name: TaskExecutables
Type: REG_SZ
Data:

Value 3
Name: TaskName
Type: REG_SZ
Data: FirstBootTask


Key Name:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerAppliance\Applia nceManager\ObjectManagers\Microsoft_SA_Task\SecondBootTask
Class Name:
Last Write Time: 1/22/2006 - 10:55 AM
Value 0
Name: CanDisable
Type: REG_DWORD
Data: 0

Value 1
Name: IsEnabled
Type: REG_DWORD
Data: 0x1

Value 2
Name: TaskExecutables
Type: REG_SZ
Data:

Value 3
Name: TaskName
Type: REG_SZ
Data: SecondBootTask


Key Name:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerAppliance\Applia nceManager\ObjectManagers\Microsoft_SA_Task\SetAlertEmail
Class Name:
Last Write Time: 1/22/2006 - 10:55 AM
Value 0
Name: CanDisable
Type: REG_DWORD
Data: 0

Value 1
Name: IsEnabled
Type: REG_DWORD
Data: 0x1

Value 2
Name: TaskExecutables
Type: REG_SZ
Data: SetAlertEmail.AlertEmail.1

Value 3
Name: TaskName
Type: REG_SZ
Data: SetAlertEmail


Key Name:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerAppliance\Applia nceManager\ObjectManagers\Microsoft_SA_Task\SetDateTime
Class Name:
Last Write Time: 1/22/2006 - 10:55 AM
Value 0
Name: TaskName
Type: REG_SZ
Data: SetDateTime

Value 1
Name: TaskExecutables
Type: REG_SZ
Data: SetDateTime.DateTime.1

Value 2
Name: IsEnabled
Type: REG_DWORD
Data: 0x1

Value 3
Name: CanDisable
Type: REG_DWORD
Data: 0


Key Name:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerAppliance\Applia nceManager\ObjectManagers\Microsoft_SA_Task\SetTimeZone
Class Name:
Last Write Time: 1/22/2006 - 10:55 AM
Value 0
Name: TaskName
Type: REG_SZ
Data: SetTimeZone

Value 1
Name: TaskExecutables
Type: REG_SZ
Data: SetDateTime.DateTime.1

Value 2
Name: IsEnabled
Type: REG_DWORD
Data: 0x1

Value 3
Name: CanDisable
Type: REG_DWORD
Data: 0

Re: problem: SSL certificate associated with website in IIS changes upon reboot

Scratch my last comment - deleting that entry worked! On reboot, the
SSL certificate listed in IIS did not revert. Thanks kindly, Sasha