After deploying .net patches in our Citirx environment, our services failed to respond KB4055271, KB4099635 ,KB4099639 with error Http/1.1 Internal Server Error 43554

• Question

• 

  

  0

  Sign in to vote

  After deploying .net patches in our <g class="gr_ gr_37 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="37" id="37">Citirx</g> environment, our services failed to respond with <g class="gr_ gr_41 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="41" id="41">error :</g>  Http/1.1 Internal Server Error 43554

  Below .net patches deployed on server- KB4055271, KB4099635 ,KB4099639

  Issue resolved post reverting back the servers state to one day back. All are <g class="gr_ gr_39 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="39" id="39">Windiws</g> 2012 and 2008 r2 servers hosted <g class="gr_ gr_38 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="38" id="38">citrix</g> storefront this <g class="gr_ gr_40 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="40" id="40">are</g> Vmware servers.

  After finding on the internet for KB4055271- Found below information - Was this patch impacted our server. Please need help from experts about the same.

  Enhanced Key Usage (EKU) is described in RFC 5280 in section 4.2.1.12. This extension indicates one or more purposes for which the certified public key may be used, in addition to or instead of the basic purposes that are indicated in the key usage extension. For example, a certificate that is used for the authentication of a client to a server must be configured for Client Authentication. Similarly, a certificate that is used for the authentication of a server must be configured for Server Authentication. With this change, besides requiring the appropriate client/server EKU on certificates, if the root certificate is disabled, the certificate chain validation will fail.
  
  When certificates are used for authentication, the authenticator examines the certificate that is provided by the remote endpoint and seeks the correct purpose object identifier in Application Policies extensions. When a certificate is used for client authentication, the object identifier for Client Authentication must be present in the EKU extensions of the certificate, or authentication fails. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2. Likewise, when a certificate is used for server authentication, the object identifier for Server Authentication must be present in the EKU extensions of the certificate, or authentication fails. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1. Certificates that have no EKU extension continue to authenticate correctly.
  
  First, consider making changes to your component’s certificates to make sure that they are using the correct EKU OID attributes and are secured correctly. If you temporarily cannot access correctly reissued certificates, you can choose to opt in or out of the security change to avoid any connectivity effects. To do this, specify the following <g class="gr_ gr_27 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="27" id="27">appsetting</g> in the configuration file:

  • Moved by Wendy ZangMicrosoft contingent staff Wednesday, June 27, 2018 1:34 AM

  Monday, June 18, 2018 5:05 AM