1,746 questions
Hi.
The server is running Windows 2022 and IIS 10. ARR version is 3.0.
Here's a screenshot of the registry. I restarted IIS after inserting the registry value
Application Request Routing (ARR) - SecureConnectionIgnoreFlags support
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 7.000000000000001%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFC%3C/text%3E%3C/svg%3E)
Frank Cheung
0
Reputation points
Hello.
I have ARR 3.0 installed and I want to set the SecureConnectionIgnoreFlags to ignore expired certificates for health checking as described in https://learn.microsoft.com/en-us/iis/extensions/configuring-application-request-routing-arr/arr-support-added-for-winhttpoptionsecurityflags
This article indicated that there's a hotfix for ARR 2.5, https://www.microsoft.com/en-us/download/details.aspx?id=35827 and this hotfix won't install on ARR 3.0
I added the registry setting but it doesn't seem to work.
I also found this KB, https://support.microsoft.com/en-us/topic/june-2016-hotfix-for-microsoft-application-request-routing-3-0-8855fd9c-1d0c-7704-f10b-de18e6efa9b1 but the download link is broken.
Can someone confirm if SecureConnectionIgnoreFlags is supported out of the box w/ ARR 3.0?
Thanks a lot.
Windows development | Internet Information Services
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2025-02-11T09:59:48.23+00:00 Hi @Frank Cheung,
What version of IIS are you currently using? I see that the documents you provided are all applicable to IIS 8/IIS 8.5.
In addition, how did you configure this registry (what value you configured), you can try something like this and check if this work:
reg.exe add "HKLM\SOFTWARE\Microsoft\IIS Extensions\Application Request Routing\Parameters" /v SecureConnectionIgnoreFlags /t REG_DWORD /d 0x00003300
Sign in to comment
2 answers
Sort by: Most helpful
-
Frank Cheung 0 Reputation points
2025-02-11T16:21:42.99+00:00 -
Anonymous
2025-02-12T08:29:29.08+00:00 Hi @Frank Cheung,
Does this work for you? If it still doesn't work, could you provide detailed error messages?
-
Frank Cheung 0 Reputation points
2025-02-12T15:58:25.6733333+00:00 No. It doesn't work. I get the 502.3 gateway error.
Once I replace the certificate on the worker / web node with one that is not expired, it started working again.
-
Anonymous
2025-02-13T02:16:47.6633333+00:00 Hi @Frank Cheung,
Try to modify the value to
0x00003300and check if this work. -
Frank Cheung 0 Reputation points
2025-02-14T02:05:01.2+00:00 No. It doesn't work. What's really strange is that it worked for like 4 to 5 hours and then i stop seeing traffic coming to one of the web node that has an expired certificate.
IIS manager still shows the node as health but I get 503.4 error
-
Anonymous
2025-02-14T06:38:41.4733333+00:00 Hi @Frank Cheung,
What's really strange is that it worked for like 4 to 5 hours and then i stop seeing traffic coming to one of the web node that has an expired certificate.
You mean after changing the configuration it worked for a while?
IIS manager still shows the node as health but I get 503.4 error
This error code means: FastCGI queue full. Maybe you can check the relevant log information for more details.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 62%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETT%3C/text%3E%3C/svg%3E)
Tom Tran (WICLOUD CORPORATION) 10 Reputation points Microsoft External Staff2025-07-07T07:11:55.78+00:00 Hi Frank Cheung,
I know this is a really late response.
From what you've provided, the registry key is correctly configured but ARR 3.0 does not reliably honor
SecureConnectionIgnoreFlagsout of the box. This behavior was addressed in a June 2016 hotfix (KB3167810), which specifically adds support for this registry setting in ARR 3.0.This means that unless the hotfix is already installed, ARR will continue to reject expired certificates during health checks even if the registry key is present. That would explain why traffic initially flowed to the node with the expired cert (possibly due to caching) and then stopped after a few hours, resulting in 502.3 and 503.4 errors.
In the meantime, you could try:
- Small fixes like:
- Try a different browser (e.g., Edge, Chrome, Firefox).
- Disable browser extensions like ad blockers or script blockers that might interfere with the download.
- Use a private/incognito window to bypass cached sessions or cookies.
- Check network restrictions — some corporate firewalls or proxies may block Microsoft download domains.
- Run this PowerShell command to check if the hotfix is installed yet:
Get-HotFix -Id KB3167810- If none of that work, you can still directly request the hotfix by contacting Microsoft since the link to the hotfix is broken: (https://support.microsoft.com/en-us/contactus)
- Sign in with you Microsoft's account and select "Windows" as the product.
- In the description, you can state the following for example: “I’m requesting hotfix KB3167810 for Application Request Routing (ARR) 3.0. The public download link is no longer available. This hotfix is needed to enable support for the
SecureConnectionIgnoreFlagsregistry key, which is not being honored in the base version of ARR 3.0.” - Proceed with "Contact Support" request via chat or email if available.
I really hope this solves your issue. Let me know if you require more help!