Unable to Download 128-Bit Encryption Software from Microsoft

ID: Q175565

The information in this article applies to:
  • Microsoft Internet Explorer versions 3.02, 4.0, 4.01, 4.01 Service Pack 1, 5 for Windows 95
  • Microsoft Internet Explorer versions 3.02, 4.0, 4.01, 4.01 Service Pack 1, 5 for Windows NT 4.0
  • Microsoft Internet Explorer versions 4.01 Service Pack 2, 5 for Windows 98
  • Microsoft Internet Explorer versions 3.03 Service Pack 1, 4.0, 4.01, 5 for Windows 3.1
  • Microsoft Internet Explorer versions 3.03 Service Pack 1, 4.0, 4.01, 5 for Windows NT 3.51
  • Microsoft Internet Explorer versions 4.01, 5 for UNIX on HPUX
  • Microsoft Internet Explorer versions 4.01, 5 for UNIX on Sun Solaris
  • Microsoft Internet Explorer versions 3.01a, 4.0, 4.01, 4.5 for Macintosh
  • Microsoft Windows 98
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows 95
  • Microsoft Windows NT Server version 4.0
  • Microsoft Windows NT Workstation version 4.0

SYMPTOMS

When you try to download software from Microsoft that includes 128-bit encryption, you may receive one of the following error messages:

Your computer does not have a Domain Name Service registered for it. We are unable to determine the physical location of your computer. You should contact your system administrator to find out why a DNS entry is not registered for your IP address. A DNS entry is a requirement for downloads at this time.
The verification process has failed for the following reason: (no reason is given).
Command timed out. Please try again later.
Couldn't find a domain name for the specified IP address. Please try again. If the problem persists please contact your service provider.
Couldn't find the product identifier you specified.
Encountered an improperly formatted domain name. Please try again. If the problem persists please contact your service provider.
Encountered an invalid or missing IP address. Please try again. If the problem persists please contact your service provider.
Failed to download specified file.
Failed to find a match for the specified domain. Please try again. If the problem persists please contact your service provider.
Failed to retrieve second level domain. Please try again. If the problem persists please contact your service provider.
Failed to retrieve top level domain. Please try again. If the problem persists please contact your service provider.
Failed to verify IP address for unknown reason. Please try again later.
Failed to verify the physical location of your computer. Due to restrictions prohibiting export of 128 bit enabled software, the physical location of your computer must be verifiable.
No DNS entry for requested IP address. Please try again. If the problem persists please contact your service provider.
The WHOIS query timed out. Please try again later. Please try again. If the problem persists please contact your service provider.
Unknown IP address or domain name. Please try again. If the problem persists please contact your service provider.
WHOIS cannot resolve the specified domain name. Please try again. If the problem persists please contact your service provider.
You are not authorized to download this product. Due to Dept. of Justice requlations, only residents of US and Canada can download 128bit encrypted products.


CAUSE

This behavior occurs because U.S. law prevents Microsoft from exporting 128-bit components to countries outside the U.S. (or its territories, possessions and dependencies) and Canada. If you are using an Internet service provider (ISP) in the U.S. (or its territories, possessions and dependencies) or Canada, The download server may be unable to obtain the information needed to verify the physical location of your computer, thereby producing an error message, for any of the following reasons:

  1. Your Domain Name System (DNS) server that is the "Start of Authority" for your reverse lookup zone does not have a PTR record for your computer. Because 128-bit encryption technology cannot be exported outside the United States or Canada, Microsoft performs an inverse lookup of your Internet Protocol (IP) address. If Microsoft is unable to resolve this address to a domain name within the United States or Canada, an error message is generated.


  2. Your Domain Name System (DNS) server does not support a reverse lookup (NSLookup) table to retrieve the host name associated with your Internet Protocol (IP) address. This behavior can also occur if you are part of a network that uses a proxy server to gain access to the Internet. Your host name may not be available, depending on how the proxy server is configured.


  3. Your domain name is not properly registered to an ISP in the U.S. (or its territories, possessions and dependencies) or Canada, or no DNS record exists for your IP address. This can be determined by querying a WHOIS server.


  4. The download server cannot correctly interpret the information it obtained about the physical location of your computer (using your IP address and domain name) from a WHOIS server. In most cases, the WHOIS record does not conform to standards.


  5. The Schannel.dll file is corrupted or the incorrect version.


  6. WHOIS server times out, or is too busy.


  7. Connection with WHOIS server is refused/denied/fails.



RESOLUTION

To resolve this issue, use the appropriate method:

Issue 1

To resolve this issue, contact your Internet service provider (ISP) to have them create a PTR record for you in the appropriate reverse lookup zone, or have your ISP grant you "Start of Authority" for the IP address range you use so that you can create and maintain a reverse lookup zone.

For information about how to install and configure DNS Server, please click the article number below to view the article in the Microsoft Knowledge Base:
Q172953 How to Install and Configure Microsoft DNS Server

Issue 2

To resolve this issue, contact your Internet service provider (ISP) or network administrator to enable DNS reverse lookup on the public interface of your DNS server, proxy server, or firewall. DNS reverse lookup must be enabled on firewalls even if they are not providing any proxy services.

When you try to download 128-Bit encryption software from Microsoft, the download server issues a reverse DNS query to find the host name associated with the IP address of your computer (assigned to you by your ISP). Your ISP must configure a reverse lookup zone on their DNS server to provide this capability. To configure a reverse lookup zone, your ISP should consult the documentation included with their DNS server. For example, ISPs may refer to the following Microsoft Knowledge Base article for information about configuring a reverse lookup zone for a Microsoft DNS Server. Please click the article number below to view the article in the Microsoft Knowledge Base:
Q172953 How to Install and Configure Microsoft DNS Server
NSLookup can be used to confirm your DNS server supports reverse lookup. For information about using NSLookup with Windows NT Server or Workstation 4.0, please click the article number below to view the article in the Microsoft Knowledge Base:
Q200525 Using NSlookup.exe
NSLOOKUP output should resemble the following if reverse lookup is enabled: 

D:\>NSLOOKUP
Default Server:  xxx.dns.microsoft.com
Address:  100.00.000.000

> microsoft.com
Server:  xxx-dns-xx.dns.microsoft.com
Address:  111.11.111.111

Issue 3

To resolve this issue, check a public WHOIS lookup service to make sure your domain name is properly registered to an ISP (a DNS record exists). You can confirm that NSLookup returns a valid domain name and correctly formatted DNS record for the domain or IP address that is failing using (among other similar sites):

Network General the WHOIS Web Site

http://www.networksolutions.com/cgi-bin/whois/whois/

The American Registry for Internet Numbers (ARIN)

http://www.arin.net/whois/arinwhois.html
Both sites are valuable for gathering information on the InterNIC record for a domain name, if the record exists.

After the download server obtains the host name associated with your IP address, it queries WHOIS to determine whether your host name belongs to a U.S. (or its territories, possessions and dependencies) or Canadian ISP. WHOIS is a service provided by the InterNIC that provides information on second-level domains including contact e-mail addresses, postal addresses and telephone numbers of those who have registered with the InterNIC. For information about using WHOIS to verify Internet domain registration information, please click the article numbers below to view the articles in the Microsoft Knowledge Base:
Q151710 XFOR: Using WHOIS To Research Internet Domains
Q169213 How to Verify Internet Domain Registration Information with InterNIC

Issue 4

To resolve this issue, check Network General The WHOIS Web site to determine the format of your DNS record:
http://www.networksolutions.com/cgi-bin/whois/whois/
Note that the record must follow this format: 

Company name
Address line 1
Address line 2
Address line …
City name, state_code_or_name  ZIP_code
NOTE: The comma separating the city name and the state code/name is required, and if the comma is not present, verification does not work.

Issue 5

To resolve this issue, extract a new copy of the Schannel.dll file from your operating system retail CD-ROM. For additional information about extracting files, please click the article number below to view the article in the Microsoft Knowledge Base:
Q129605 How to Extract Original Compressed Windows Files

Issue 6

To resolve this issue, retry when the WHOIS server is available.

Issue 7

To resolve this issue, contact your ISP or network administrator to determine the reason for the refusal, denial, or failure of the WHOIS lookup.


MORE INFORMATION

If you are outside the U.S. (or its territories, possessions and dependencies) or Canada, the standard 40-bit versions of Internet Explorer include Server Gated Cryptography (SGC) technology, which allows you to conduct 128-bit transactions with banks and financial institutions that support SGC.

If you are connecting to the Internet from within the U.S. (or its territories, possessions and dependencies) or Canada, please try to download the 128-bit version of Internet Explorer again. There can be a delay between the time when information is modified on the Internet root servers and when information is modified on the WHOIS servers. Problems with a DNS or WHOIS server or general internet bandwidth issues may also make the information temporarily inaccessible to the download server.

If the error persists, contact your Internet service provider (ISP) for assistance in resolving the problem. ISPs should refer to Issues and Resolutions sections of this article for troubleshooting information.

NOTE: If you receive an error message not listed in the Symptoms section of this article, then there may be an issue with the particular version of Internet Explorer you are using. Search the Microsoft Knowledge Base for information on the specific error message you received.

Companies located in the U.S. (or its territories, possessions and dependencies) or Canada can distribute Internet Explorer with 128-bit encryption capabilities in the U.S. (or its territories, possessions and dependencies) and Canada provided they sign up to receive the Internet Explorer Administration Kit (IEAK) 128-bit encryption component. Per the guidelines of the 128-bit Addendum, the component allows companies to distribute the 128-bit version of Internet Explorer 5.0 or 4.x, or for either Windows 98, Windows 95/NT 4.0, Windows 3.1/NT 3.51, or the Macintosh.

Additional query words: 4.00 3.00 5.0 5.00 troubleshoot

Keywords : kberrmsg kbtshoot win95 msiew95 msient win98 msiew98
Version : MACINTOSH:3.01a,4.0,4.01,4.5; UNIX:4.01,5; WINDOWS:3.02,3.03 Service Pack 1,4.0,4.01,4.01 Service Pack 1,4.01 Service Pack 2,5,95; winnt:4.0
Platform : MACINTOSH UNIX WINDOWS winnt
Issue type : kbprb


Last Reviewed: November 24, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.