question

JoshuaHemphill avatar image
0 Votes"
JoshuaHemphill asked JoshuaHemphill commented

Adding a ECDSA521 cert to IIS bindings crashes SChannel (renders events unviewable)

Partially a continuation from https://forums.iis.net/t/1252746.aspx?Getting+hresult+0x8007054F+error+for+any+certificates

Now that the issue narrowed down, I though I'd put it someplace with a better chance of getting an actual bug report filed.

To summarize.

On Windows Server 2019, IIS v10.0, on the Default Web Site, on interface "BINDING : https *:443: "

Using TLS1.2 with an ECDSA521 SHA512 cert

The SSLDiag tool shows everything as valid for a certificate of 1.3.6.1.5.5.7.3.1 Server Authentication

The only error information I can get from SChannel is what's in it's error event. Here are the highlights (see more in linked topic)

 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Schannel" Guid="{1f678132-5938-4686-9fdc-c8ff68f15c85}" />
  <Correlation ActivityID="{51aa0bed-36e1-0001-4b0d-aa51e136d701}" />
  <Channel>System</Channel>
  <Computer>myserver</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data Name="ErrorState">10018</Data>
  </EventData>
 </Event>

When turning on verbose logging in SChannel, trying to view informational messages seems to crash event viewer, with this trace:

    at Microsoft.ManagementConsole.Internal.SnapInMessagePumpProxy.OnThreadException(Object sender, ThreadExceptionEventArgs e)
    at System.Windows.Forms.Application.ThreadContext.OnThreadException(Exception t)
    at System.Windows.Forms.Control.WndProcException(Exception e)
    at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
    at System.Windows.Forms.UnsafeNativeMethods.CallWindowProc(IntPtr wndProc, IntPtr hWnd, Int32 msg, IntPtr wParam, IntPtr lParam)
    at System.Windows.Forms.NativeWindow.DefWndProc(Message& m)
    at System.Windows.Forms.Control.WmMouseDown(Message& m, MouseButtons button, Int32 clicks)
    at System.Windows.Forms.Control.WndProc(Message& m)
    at System.Windows.Forms.TabControl.WndProc(Message& m)
    at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

When trying to add the cert binding in the IIS bindings interface I get the following UI error prompt: An internal error occurred (Exception from HRESULT: 0x8007054F)
Here are the events that IIS Logs:

 IIS-Configuration > Operational:
  Changes have successfully been committed to 'MACHINE/WEBROOT/APPHOST'.
  Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]/@sslFlags' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
  Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]/@bindingInformation' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
  Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]/@protocol' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
  Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
  Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
 IIS-Configuration > Administrative:
  Unable to find schema for config section 'system.serviceModel/tracking'. This section will be ignored.
  Unable to find schema for config section 'system.serviceModel/client'. This section will be ignored.
  Unable to find schema for config section 'system.serviceModel/extensions'. This section will be ignored.
  Unable to find schema for config section 'system.xaml.hosting/httpHandlers'. This section will be ignored.
  Unable to find schema for config section 'system.serviceModel/serviceHostingEnvironment'. This section will be ignored.
  Unable to find schema for config section 'system.serviceModel/tracking'. This section will be ignored.
  Unable to find schema for config section 'system.serviceModel/client'. This section will be ignored.
  Unable to find schema for config section 'system.serviceModel/extensions'. This section will be ignored.

And the SSLDiag tool results:

 Encryption test passed
 Verified Issuance Policies: None
 Verified Application Policies:
     1.3.6.1.5.5.7.3.1 Server Authentication
 Certificate is valid
    
 System Time : Thursday, April 22, 2021 11:19:09 AM Eastern Standard Time
 Processor Architecture : x64
 OS : Microsoft Windows NT 6.2.9200.0
 Microsoft Internet Information Services 10.0
     
 SERVER SSL PROTOCOLS
 PCT 1.0 : Disabled
 SSL 2.0 : Disabled
 SSL 3.0 : Disabled
 TLS 1.0 : Disabled
 SChannel EventLogging : 1 (hex)
 -----
 [W3SVC/1]
 ServerComment   : Default Web Site
 ServerAutoStart   : True
 ServerState           : Started
     
 BINDING : http *:80: 
     
 BINDING : https *:443: 

And as mentioned, all SChannel events become unreadable, so I can't get you any more SChannel events.

UPDATE:
I can now read the Schannel events, and right before the undefined error, SChannel logs something interesting:
The TLS server credential's private key has the following properties:

    CSP name: Microsoft Software Key Storage Provider
    CSP type: 0
    Key name: te-!0021WebServer-b64b9b22-aa1a-4425-9f2e-902ae3c4cada
    Key Type: N/A
    Key Flags: 0x20

Seeing as it says Key Type: N/A, could that be the cause? Does SChannel not actually support ECDSA521?

windows-apiwindows-server-iiswindows-server-security
· 15
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JoshuaHemphill The problem cannot be confirmed based on these messages, can you provide more information about this issue?

1 Vote 1 ·

@SamWu-MSFT I've added all available debugging data. If there's some way to retrieve the corrupted SChannel events, let me know.

0 Votes 0 ·

@JoshuaHemphill The SChannel event becomes unreadable. It may be that schannel is corrupted. You can try the following steps to solve this problem. 1. Run cmd with admin access type cmd. 2. Type the following commands, regsvr32 schannel.dll /u, regsvr32 schannel.dll.

0 Votes 0 ·
Show more comments

0 Answers