This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
by Harsh Mittal
The ARR update KB 2693489 adds support for WINHTTP_OPTION_SECURITY_FLAGS.
Default Behavior:
This is the same prior to the updated where ARR will ignore Common name mismatches in the SSL communication. With this change ARR implementsSECURITY_FLAG_IGNORE_CERT_CN_INVALID as the default flag.
To change the settings add the following registry key.
Click Start, type regedit.exe in the Start Search box, and then press ENTER.
Expand the following registry key
HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\IIS Extensions\Application Request Routing\Parameters
Right-click Parameters, click New, and then click DWORD (32-bit) Value.
In the Value name box, type SecureConnectionIgnoreFlags, and then press ENTER.
Double-click the SecureConnectionIgnoreFlags registry value and Enter 0.
Close Registry Editor.
The key can also be added from the command line with the following command:
reg.exe add "HKLM\SOFTWARE\Microsoft\IIS Extensions\Application Request Routing\Parameters" /v SecureConnectionIgnoreFlags /t REG_DWORD /d 0
Setting Additional Options
The default value of 0 is the same as setting the SECURITY_FLAG_IGNORE_CERT_CN_INVALID flag.
To set additional options you can combine the following settings by adding the following values together.
For example to Set both SECURITY_FLAG_IGNORE_CERT_CN_INVALID and SECURITY_FLAG_IGNORE_CERT_DATE_INVALID set the value = 0x00003000.
| Value | Description |
|---|---|
| 0x00001000 | SECURITY_FLAG_IGNORE_CERT_CN_INVALID (DEFAULT) |
| 0x00002000 | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
| 0x00000100 | SECURITY_FLAG_IGNORE_UNKNOWN_CA |
| 0x00000200 | SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE |
· SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE
Allows the identity of a server to be established with a non-server certificate (for example, a client certificate).
SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE 0x00000200
Reference
WINHTTP_OPTION_SECURITY_FLAGS
https://msdn.microsoft.com/library/windows/desktop/aa384066(v=vs.85).aspx
Training
Learning path
Secure Windows Server on-premises and hybrid infrastructures - Training
Secure Windows Server on-premises and hybrid infrastructures
Certification
Microsoft Certified: Information Security Administrator Associate - Certifications
As an Information Security Administrator, you plan and implement information security of sensitive data by using Microsoft Purview and related services.