Skip to content

Latest commit

 

History

History
60 lines (40 loc) · 2.64 KB

arr-support-added-for-winhttpoptionsecurityflags.md

File metadata and controls

60 lines (40 loc) · 2.64 KB
Raw
title author description ms.date ms.assetid msc.legacyurl msc.type
ARR: Support Added for WINHTTP_OPTION_SECURITY_FLAGS
rick-anderson
The ARR update KB 2693489 adds support for WINHTTP_OPTION_SECURITY_FLAGS. Default Behavior: This is the same prior to the updated where ARR will ignore Comm...
04/13/2012
1262324d-f150-4a2f-9b5a-a439de7b718b
/learn/extensions/configuring-application-request-routing-arr/arr-support-added-for-winhttpoptionsecurityflags
authoredcontent

ARR: Support Added for WINHTTP_OPTION_SECURITY_FLAGS

by Harsh Mittal

The ARR update KB 2693489 adds support for WINHTTP_OPTION_SECURITY_FLAGS.

Default Behavior:

This is the same prior to the updated where ARR will ignore Common name mismatches in the SSL communication. With this change ARR implementsSECURITY_FLAG_IGNORE_CERT_CN_INVALID as the default flag.

To change the settings add the following registry key.

  1. Click Start, type regedit.exe in the Start Search box, and then press ENTER.

  2. Expand the following registry key

    [!code-consoleMain]

  3. Right-click Parameters, click New, and then click DWORD (32-bit) Value.

  4. In the Value name box, type SecureConnectionIgnoreFlags, and then press ENTER.

  5. Double-click the SecureConnectionIgnoreFlags registry value and Enter 0.

  6. Close Registry Editor.

The key can also be added from the command line with the following command:

[!code-consoleMain]

Setting Additional Options

The default value of 0 is the same as setting the SECURITY_FLAG_IGNORE_CERT_CN_INVALID flag.

To set additional options you can combine the following settings by adding the following values together.

For example to Set both SECURITY_FLAG_IGNORE_CERT_CN_INVALID and SECURITY_FLAG_IGNORE_CERT_DATE_INVALID set the value = 0x00003000.

Value Description
0x00001000 SECURITY_FLAG_IGNORE_CERT_CN_INVALID (DEFAULT)
0x00002000 SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
0x00000100 SECURITY_FLAG_IGNORE_UNKNOWN_CA
0x00000200 SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE

· SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE

Allows the identity of a server to be established with a non-server certificate (for example, a client certificate).

SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE 0x00000200

Reference

WINHTTP_OPTION_SECURITY_FLAGS

https://msdn.microsoft.com/library/windows/desktop/aa384066(v=vs.85).aspx