none
After deploying .net patches in our Citirx environment, our services failed to respond KB4055271, KB4099635 ,KB4099639 with error Http/1.1 Internal Server Error 43554 RRS feed

  • Question

  • After deploying .net patches in our <g class="gr_ gr_37 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="37" id="37">Citirx</g> environment, our services failed to respond with <g class="gr_ gr_41 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="41" id="41">error :</g>  Http/1.1 Internal Server Error 43554

    Below .net patches deployed on server- KB4055271, KB4099635 ,KB4099639

    Issue resolved post reverting back the servers state to one day back. All are <g class="gr_ gr_39 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="39" id="39">Windiws</g> 2012 and 2008 r2 servers hosted <g class="gr_ gr_38 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="38" id="38">citrix</g> storefront this <g class="gr_ gr_40 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="40" id="40">are</g> Vmware servers.

    After finding on the internet for KB4055271- Found below information - Was this patch impacted our server. Please need help from experts about the same.

    Enhanced Key Usage (EKU) is described in RFC 5280 in section 4.2.1.12. This extension indicates one or more purposes for which the certified public key may be used, in addition to or instead of the basic purposes that are indicated in the key usage extension. For example, a certificate that is used for the authentication of a client to a server must be configured for Client Authentication. Similarly, a certificate that is used for the authentication of a server must be configured for Server Authentication. With this change, besides requiring the appropriate client/server EKU on certificates, if the root certificate is disabled, the certificate chain validation will fail.

    When certificates are used for authentication, the authenticator examines the certificate that is provided by the remote endpoint and seeks the correct purpose object identifier in Application Policies extensions. When a certificate is used for client authentication, the object identifier for Client Authentication must be present in the EKU extensions of the certificate, or authentication fails. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2. Likewise, when a certificate is used for server authentication, the object identifier for Server Authentication must be present in the EKU extensions of the certificate, or authentication fails. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1. Certificates that have no EKU extension continue to authenticate correctly.

    First, consider making changes to your component’s certificates to make sure that they are using the correct EKU OID attributes and are secured correctly. If you temporarily cannot access correctly reissued certificates, you can choose to opt in or out of the security change to avoid any connectivity effects. To do this, specify the following <g class="gr_ gr_27 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="27" id="27">appsetting</g> in the configuration file:

    Monday, June 18, 2018 5:05 AM

All replies

  • Hi Ganesh Mergu,

    Thank you for posting here.

    Since your question is more related to Citirx, you could post a new thread in Citirx forum.

    https://discussions.citrix.com/

    The CLR Forum discuss and ask questions about .NET Framework Base Classes (BCL) such as Collections, I/O, Regigistry, Globalization, Reflection. Also discuss all the other Microsoft libraries that are built on or extend the .NET Framework, including Managed Extensibility Framework (MEF), Charting Controls, CardSpace, Windows Identity Foundation (WIF), Point of Sale (POS), Transactions.

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, June 19, 2018 6:22 AM