Schannel error 36885
On a Windows 2008 R2 SP1 server with current updates applied I am receiving an error from Schannel, 36885 indicating this server trusts so many certificate authorities that the list has grown too long...
In the Trusted Root Certificatation Authorities list there are 317 certificates. This warning appears on mulitple servers a few times a month.
How can I get rid of this warning.
June 19th, 2012 6:48pm
Hi,
Thanks for posting in Microsoft TechNet forums.
This error can be received while the maximum size of the trusted certificate authorities list that the Schannel security package supports is exceeded.
We can use the "workarounds" of the article below to fix this problem:
Clients cannot make connections if you require client certificates on a Web site or if you use IAS in Windows Server 2003
http://support.microsoft.com/kb/933430
(The workarounds described in this article can apply to Windows Server 2008 R2 as well.)
Regards
Kevin
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 19th, 2012 10:08pm
Hi,
Thanks for posting in Microsoft TechNet forums.
This error can be received while the maximum size of the trusted certificate authorities list that the Schannel security package supports is exceeded.
We can use the "workarounds" of the article below to fix this problem:
Clients cannot make connections if you require client certificates on a Web site or if you use IAS in Windows Server 2003
http://support.microsoft.com/kb/933430
(The workarounds described in this article can apply to Windows Server 2008 R2 as well.)
Regards
Kevin
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.TechNet Community Support
June 19th, 2012 10:19pm
Kevin, thank you for you reply. I have seen the article. Workaround 1, to delete the certificates on each server is not practical as I have many servers and the issue may occur again with the next certificate update.
Workaround 2, to use AD and import trusted certificates is a very time consuming process to figure out which ones are necessary for the correct funtioning of windows.
Workaround 3, I am not sure of the security implications of Internet Explorer displaying all the client certificates that are installed on the client computer.
Are you aware of a hotfix for Server 2008 R2?
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2012 9:30am
Hi,
Thank you for your prompt reply.
Please understand that the hotfix in that article increases the Schannel security buffer of Windows Server 2003 from 12,228 bytes to 16k. However, the Schannel security buffer has already been increased to 16k in Windows Server 2008 and Windows Server 2008
R2. Currently no hotfix is available to increase it further.
In this situation, I suggest we use the third workaround in that article. Please be assured that it won't cause security problem.
Thanks for your understanding and efforts.
Best Regards
Kevin
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.
TechNet Community Support
June 20th, 2012 9:47pm
I will try to use method # 1 on a single server. I am using the following article as a guide on which certificates to keep:
http://support.microsoft.com/kb/293781 I will know that the problem is resolved in 1 month as the certificate store is updated on a monthly basis and then generates a warning in the log. If
the problem re-occurs, I will post to this thread.
Thank you
Free Windows Admin Tool Kit Click here and download it now
June 21st, 2012 10:50am
Hi,
Thanks for your feedback.
Please feel free to let us know if you need further help during the troubleshooting.
Regards
Kevin
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.TechNet Community Support
June 24th, 2012 11:03pm