INFO: Using WinInet APIs in a System Service to access SSL sites

ID: Q190542

The information in this article applies to:

Microsoft Internet Server Application Programming Interface (API)
Internet Client SDK, versions 4.0, 4.01

SUMMARY

On machines with Internet Explorer 3.x installed, it is possible for a System Service (like an ISAPI filter) to access SSL servers using the WinInet APIs, while the same code will break on machines with Internet Explorer 4.x installed.

This is because the certificates for the SSL servers are no longer stored in the same place when Internet Explorer 4.x is installed. Internet Explorer 4.x stores the certificate information under the HKEY_CURRENT_USER hive. A System Service by default has as its HKEY_CURRENT_USER the contents of HKEY_USERS\.DEFAULT. Therefore, a System Service does not have access to the necessary certificate information to establish a secure connection. A typical error is 12045 - ERROR_INTERNET_INVALID_CA (which means the certificate authority is not recognized).

MORE INFORMATION

At this time using WININET APIs within the context of a System Service is not supported. However, an unsupported workaround is available. It should be noted that Microsoft does not support this workaround and the user must be aware that future releases of Windows NT and/or Internet Explorer may break this workaround.

The workaround requires manually copying the content of the certificate information to the System Service's HKEY_CURRENT_USER (or the equivalent thereof).

WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.

To use WININET for SSL connections under the context of a System Service, you must copy the contents of the following key:


   HKEY_CURRENT_USER\ 
      SOFTWARE\ 
         Microsoft\ 
            SystemCertificates\

To the following key:


   HKEY_USERS\ 
      .DEFAULT\ 
         SOFTWARE\ 
            Microsoft\ 
               SystemCertificates\

NOTE: If the machine on which WININET is being used is sitting behind a firewall or a proxy, the configuration information for these settings are also stored in the HKEY_CURRENT_USER and may need to be copied. The setting information is stored in:


   HKEY_CURRENT_USER\ 
      SOFTWARE\ 
         Microsoft\ 
            Windows\ 
               CurrentVersion\ 
                  InternetSettings\

And needs to be copied over to:


   HKEY_USER\ 
      .DEFAULT\ 
         SOFTWARE\ 
            Microsoft\ 
               Windows\ 
                  CurrentVersion\ 
                     InternetSettings\

Similarly, this workaround is not supported by Microsoft.

It may also be possible to programmatically recover from the 12045 error. For additional information, please see the following article in the Microsoft Knowledge Base:

Q182888 HOWTO: Handle Invalid Certificate Authority Error with WinInet

This article describes how to use InternetSetOption to ignore the 12045 error and resubmit the request. As with the method of copying registry entries, this is unsupported in a service; that is, it may not prevent the 12045 error or may cause a different error to be returned that cannot be recovered from.

REFERENCES

For more information, please see the MSDN Web Workshop:

http://msdn.microsoft.com/workshop/default.asp

For additional information, please see the following article in the Microsoft Knowledge Base:

Q168151 HOWTO: How to Make SSL Requests Using WinInet

Additional query words:

Keywords : kbnokeyword
Version : WINDOWS:4.0,4.01; winnt:
Platform : WINDOWS winnt
Issue type : kbinfo