This is related to

http://tst.social.technet.microsoft.com/Forums/en-US/ocsedge/thread/f883f66c-e5ba-4d5c-9af0-569684be8c70

Two questions

1. What is the impact? ie when this area becomes full what happens?

2. In the related article it appears to suggest that a fix is  http://support.microsoft.com/kb/933430. This increase the buffer from 12k to 16K (The hotfix increases the Schannel security buffer). So at the moment I am seeing 1000 certificates, it sounds like the fix would raise this limit to 1300 certificates which doesn't sound like a fix just putting off the problem.

Any thoughts appreciated on this.

Regards

Full error

Event ID 14374

The server certificate store for holding partner certificates is full.

The number of certificates written to the store (RtcSrv\Accepted Certificates) reached the configured limit. No more certificates will be written to the store until the next restart.

Cause: The server certificate store for holding peer certificates already has the maximum number of certificates permitted by configuration.

Resolution:

Delete the certificates from that store using Certificate Manager or using the LCSCertUtil tool supplied as part of the resource kit.

 

Hi,

To be authenticated by the server, the client must have a certificate that is present in the chain of certificates to a root certificate from the server's list. If the certificate is not stored in the server, Clients cannot connect to the server. When it happens in IE, you cant connect the web service in the server.

The fix wont put off the problem if you exceed the limit. You could only try the three workarounds mentioned in the fix article you mentioned.

Hope helps,

Lisa

Thanks for the reply.

The certificate store the error relates to is "RtcSrv\Accepted Certificates" ie not the normal Trusted certificate authorities.

So if you could expand on how this is used and the impact of it being full.

Also the fixes mentioned don't appear to be applicable.

So any advice gatefully received.

Hi,

The directory RtcSrv is specified for certificates for Lync frond end service.

If the error occurs, you cant connect Lync server.

Regards,

Lisa

Hello Alistair, I ran into event 14374 today on OCS 2007 R2 and temporarily resolved it as follows. (replace "Office Communicattions Server Access Edge" with "Lync Server Access Edge" in step 2 if for a Lync Edge):

1. Stop all Edge Services.

2. Start-> Run mmc. File -> Add/Remove Snap-in... -> Add... -> Certificates (Add) -> Service Account (Next, Next) -> Office Communicattions Server Access Edge (Finish) -> Close -> OK.

3. In the mmc, navigate to RtcSrv\Accepted Certificates -> Certificates. Select all certificates, then select delete and exit the mmc.

4. Reboot the Edge server

Once the Edge services are running, Federated communications worked as expected from the moment that the access edge service started. However, I just happened to notice that the "RtcSrv\Accepted Certificates" store did not begin to populate the certificates of the federated partners that are actively being used until the access edge service had been running for at least 30 minutes. All Edge services worked fine.

This, of course, is not a permanent fix but it will alleviate the issue for hopefully a long period of time until a better solution is found.

I know that Microsoft is Federated with more than 1000 OCS or Lync domains and I can only guess that they have had this issue in the past and have already found a better solution than mine. If you have Microsoft Technical Account Manager you should ask them to find out how this issue is handled internally within Microsoft.

Henry

• Proposed as answer by HJC1 Monday, May 06, 2013 6:48 PM

I am still running Microsoft Lync 2010 and carry out the same procedure as you described to work around the issue. Have you upgraded to Microsoft Lync 2013 yet? If so, do you still experience this issue or has it been resolved?

As we are running into this more frequently I have written the following PowerShell script that could potentially be configured in Task Scheduler to run as often as you need it to.

# Changes into the directory of the Lync Accepted Certificates store
Write-Host "Navigating to the Lync cert store...";
set-location 'HKLM:\SOFTWARE\Microsoft\Cryptography\Services\RtcSrv\SystemCertificates\Accepted Certificates\Certificates'

# Removes all of the keys
Write-Host "Removing Lync certs..."
remove-item *

# Restarts the Lync services in the correct order
Write-Host "Stopping Lync services..."
Get-CsWindowsService | Stop-CsWindowsService

Write-Host "Starting Lync services..."
Get-CsWindowsService | Start-CsWindowsService

• Edited by StuartTM 3 minutes ago
• Proposed as answer by StuartTM 3 minutes ago