After deploying .net patches in our <g class="gr_ gr_37 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="37" id="37">Citirx</g> environment, our services
failed to respond with <g class="gr_ gr_41 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="41" id="41">error :</g> Http/1.1 Internal Server Error 43554
Below .net patches deployed on server- KB4055271, KB4099635 ,KB4099639
Issue resolved post reverting back the servers state to one day back. All are <g class="gr_ gr_39 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="39" id="39">Windiws</g> 2012
and 2008 r2 servers hosted <g class="gr_ gr_38 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="38" id="38">citrix</g> storefront this <g class="gr_ gr_40
gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="40" id="40">are</g> Vmware servers.
After finding on the internet for KB4055271- Found below information - Was this patch impacted our server. Please need help from experts about the same.
Enhanced Key Usage (EKU) is described in RFC 5280 in section 4.2.1.12. This extension indicates
one or more purposes for which the certified public key may be used, in addition to or instead of the basic purposes that are indicated in the key usage extension. For example, a certificate that is used for the authentication of a client to a server must
be configured for Client Authentication. Similarly, a certificate that is used for the authentication of a server must be configured for Server Authentication. With this change, besides requiring the appropriate client/server EKU on certificates, if the root
certificate is disabled, the certificate chain validation will fail.
When certificates are used for authentication, the authenticator examines the certificate that is provided by the remote endpoint and seeks the correct purpose object identifier in Application Policies extensions. When a certificate is used for
client authentication, the object identifier for Client Authentication must be present in the EKU extensions of the certificate, or authentication fails. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2. Likewise, when a certificate is
used for server authentication, the object identifier for Server Authentication must be present in the EKU extensions of the certificate, or authentication fails. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1. Certificates that have
no EKU extension continue to authenticate correctly.
First, consider making changes to your component’s certificates to make sure that they are using the correct EKU OID attributes and are secured correctly. If you temporarily cannot access correctly reissued certificates, you can choose to opt
in or out of the security change to avoid any connectivity effects. To do this, specify the following <g class="gr_ gr_27 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="27" id="27">appsetting</g>
in the configuration file: