PRB: Invalid Certificates Cause RDS Problems

ID: Q193096

The information in this article applies to:
  • Remote Data Service for ADO versions 1.5, 2.0, 2.1 SP2
  • Microsoft Visual Basic Professional and Enterprise Editions for Windows, versions 5.0, 6.0

SYMPTOMS

NOTE: This article assumes that you are familiar with Remote Data Services (RDS) Visual Basic and Secured Sockets Layer (SSL).

When using Visual Basic and RDS to retrieve data from an SSL Web site, the following errors might appear:

Internet Client Error.
-or-
Internet Server Error.
The same code may run on a non-SSL Web site or through an SSL Web site using Internet Explorer.


CAUSE

An Invalid SSL Certificate, or the certificate causes this problem. Authority is unknown or not trusted.

Internet Explorer 4.0/5.0 passes this problem by displaying the following message to the user:

The Certificate Issuer for this site is untrusted or unknown. Do you wish to proceed?
If the user selects Yes, RDS functions normally. If the user selects No, the page does not load.

Visual Basic does not expose this user interface. Because of this, RDS assumes the connection is not secure and does not allow information to be exchanged. This behavior can also be seen in other languages and implementations such as VBScript and JSscript through ADO or Access 97 and so on.

This default behavior cannot be changed.


RESOLUTION

Make sure that the server certificate is valid and the certificate authority is on the list of accepted certificate authorities.

You can use the following methods to verify your certificate authorities:

If you are running Internet Explorer 4.0:

To check if the certificate authority is trusted, on the Control Panel, select Internet Options. Click the Content tab, and then select Authorities. If your particular Certificate Authority is not listed, you need to obtain and install a valid Site Certificate. Your Certificate Authority should issue this to you.

If you are running Internet Explorer 5.0:

To check if the certificate authority is trusted, on the Control Panel, select Internet Options. Click the Content tab, and then select Certificates. If your particular Certificate Authority is not listed on any of the tabs, you need to obtain and install a valid Site Certificate. Your Certificate Authority should issue this to you.

If you do not have this, nor have any means of getting this, you cannot use RDS through Visual Basic. You can still use RDS through Internet Explorer; however, every time you visit the SSL Web site, you are prompted that the certificate authority is not valid, but you are not allowed to continue.

Setting your security to Low (in Internet Options) does not prevent the error from occurring.

If you can visit the Web page without being prompted with any dialog boxes, Visual Basic should be able to make a secure RDS connection.


STATUS

This behavior is by design.


MORE INFORMATION

Steps to Reproduce Behavior

  1. Configure your Internet Information Server (IIS) Server for SSL. For instructions on how to do this, search for "Setting Up SSL on Your Server" in the IIS Help.


  2. Remove the certificate authority that provided you with your valid SSL Certificate from the list of Certificate Authorities. If you are running Explorer 4.0, on the Control Panel, select Internet Options. Click the Content tab then select Authorities to find the Authority that issued your Certificate. Clear the Authority check box. Do not delete the authority. If you are using Internet Explorer 5.0, from Control Panel select Internet Options. Click the Content tab and then select Certificates. Look through the tabs for the Authority that issued your certificate. For this test you need to export that Authority and then delete that Authority from the list. You can import the Authority back in once this test is complete. If your authority is not listed, then you must obtain and install the credentials from your authority. Your Certificate Authority can provide you with documentation and on how this is done.

    If you want to install Microsoft Certificate Server as your Certificate Authority, please follow the instructions closely because missing one step causes errors. Pay special attention to the "Certificate Authority Certificate List Web Page."


  3. Use your Web browser to view any secured Web page on your Web site. A warning message should appear stating that the Web browser cannot verify this site. You may continue by selecting Yes.


  4. Create a Visual Basic program that creates an RDS connection to your Web server. You may use the following code as a template: 


    5. 
      Option Explicit

      Private Sub Form_Load()

      Dim DataSpace As Object
      Dim DataFactory As Object
      Dim SecuredDataFactory As Object

      Dim rsData As Object

      Set DataSpace = CreateObject("RDS.DataSpace")

      Set DataFactory = DataSpace.CreateObject _
          ("RDSServer.DataFactory", "http://localhost")

      'This should work when the client certificate is
      'installed and running.
      Set SecuredDataFactory = DataSpace.CreateObject _
          ("RDSServer.DataFactory", "https://localhost")

      'The DSN should have been installed by MDAC.
      'It is a DSN pointing to the Northwind database.
          Set rsData = DataFactory.Query _
          ("DSN=AdvWorks", "SELECT * FROM ORDERS")

      Set rsData = SecuredDataFactory.Query _
          ("DSN=AdvWorks", "SELECT * FROM ORDERS")

      End Sub
  5. Run the following program. The DataFactory query should work. The SecuredDataFactory query should not work. It should return the following error:


    6. Internet Client Error.
    -or-
    Internet Server Error.
  6. Now add the Certificate Authority Client Certificate. If you are using Internet Explorer 4.0 and the certificate is already installed, on the Control Panelselect Internet Options. Click the Content tab and then select Authorities to locate the certificate. Make sure the certificate is selected. If you are using Internet Explorer 5.0, on the Control Panel select Internet Options. Click the Content tab and then select Certificates. You need to choose the Import function and point this to the client certificiate that you exported in step #2.

    If the certificate is not installed, run the certificate file given to you by the certificate authority. You can do this by locating the file in Explorer. Select the file to execute it. It should install automatically. If you are using Microsoft Certificate Server as the certificate authority, you may go to the following location to install your certificate:


    7. http://localhost/CertSrv/CertEnroll/cacerts.htm
  7. Run the program in step 4 again. The program should now execute without the error.



REFERENCES

For additional information about Installing Certificates, please see the following article in the Microsoft Knowledge Base:

Q171084 How to Install a Certificate


(c) Microsoft Corporation 1999, All Rights Reserved. Contributions by Johnathan Johnson, Microsoft Corporation.

Additional query words:

Keywords : kbDatabase kbInternet kbRDS kbRDS150 kbRDS200 kbSecurity kbVBp600 kbGrpVBDB kbGrpMDAC kbDSupport kbRDS210SP2 kbMDAC210SP2
Version : WINDOWS:1.5,2.0,2.1 SP2,5.0,6.0
Platform : WINDOWS
Issue type : kbprb


Last Reviewed: November 11, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.