If a client and host are using a secure channel (HTTPS) for communication, then the WinHTTP logs can be used to troubleshoot application failures. When the SSL/TLS negotiation between client and host fails, the WinHTTP logs will contain an error code that can help identify the cause of the negotiation failure. If a secure channel for communication is not being used, this diagnostic procedure is not necessary.
.gif)
To use WinHTTP logging to verify SSL/TLS negotiation
- Capture the WinHTTP logs.
- Start Notepad or another text editor. The text editor must be run as Administrator.
- Open the WinHTTP log file.
- Check for SSL/TLS negotiation errors.
Checking for SSL/TLS negotiation errors
The following table shows some errors that can occur during SSL/TLS negotiation, the error causes, and the possible resolutions. The table does not show all possible errors. For a list of other errors, see WinHTTP Error Messages.
| Error | Cause | Resolution |
|---|
| 0x800b0109 (CERT_E_UNTRUSTEDROOT) | The operating system does not trust the server certificate presented by the device. | Ensure that a certificate trust list can be established for the issuing certificate authority (CA) of the server certificate. In most cases, this can be achieved by adding the CA's root certificate to the Trusted Root Certification Authorities folder of the local computer certificate store. Note The CA certificate must be in the local computer store, not the current user store.
|
| 0x800b010f (CERT_E_CN_NO_MATCH) | The common name (CN) of the server certificate does not match the hostname part of the device address. | Match the CN and the device address. For example, if the operating system is connecting to https://mydevice.contoso.com:5358/, then the CN of the server certificate must be mydevice.contoso.com. |
| 0x80092013 (CRYPT_E_REVOCATION_OFFLINE) | Revocation cannot be checked because the certificate revocation server was offline. | Ensure that the revocation server can be reached. |
| 12044 (ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED) | The device requires client authentication. | This error is not fatal, and the operating system may automatically recover from the error. The operating system chooses a client authentication certificate from the local computer certificate store and retries the HTTP request with this client certificate. If SSL negotiation eventually fails, try the following possible resolutions.
- Add a valid certificate for client authentication to the local computer certificate store.
- Ensure that the process trying to issue the GET request has access to the private key of the client certificate. For example, if trying to discover a device using the Network Explorer, the LocalService account must have read access to the private key of the client certificate. This is because FDPHost, a process used by the Network Explorer to discover devices, runs under the LocalService account.
The ACLs on the private key of the certificate can be managed using the Certificates MMC snap-in. Read access must be given to the user account running the process trying to issue the GET request. To do this in the MMC snap-in, right-click the certificate, point to All Tasks, and then click Manage Private Keys. Click the name of the user or group that requires read access, and then select the Allow check box next to the Read label. For more information about this snap-in, see How to: View Certificates with the MMC Snap-in.
|
For more troubleshooting information, see Troubleshooting HTTPS Secure Channel Communication. For more information about SSL, see SSL in WinHTTP.
See Also
- WinHTTP
- Capturing WinHTTP Logs
- WinHTTP Error Messages
- Troubleshooting HTTPS Secure Channel Communication
- WSDAPI Diagnostic Procedures
- Getting Started with WSDAPI Troubleshooting
Send comments about this topic to Microsoft
Build date: 11/6/2009