Schannel error 36885
On a Windows 2008 R2 SP1 server with current updates applied I am receiving an error from Schannel, 36885 indicating this server trusts so many certificate authorities that the list has grown too long... In the Trusted Root Certificatation Authorities list there are 317 certificates. This warning appears on mulitple servers a few times a month. How can I get rid of this warning.
June 19th, 2012 6:48pm

Hi, Thanks for posting in Microsoft TechNet forums. This error can be received while the maximum size of the trusted certificate authorities list that the Schannel security package supports is exceeded. We can use the "workarounds" of the article below to fix this problem: Clients cannot make connections if you require client certificates on a Web site or if you use IAS in Windows Server 2003 http://support.microsoft.com/kb/933430 (The workarounds described in this article can apply to Windows Server 2008 R2 as well.) Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 19th, 2012 10:08pm

Hi, Thanks for posting in Microsoft TechNet forums. This error can be received while the maximum size of the trusted certificate authorities list that the Schannel security package supports is exceeded. We can use the "workarounds" of the article below to fix this problem: Clients cannot make connections if you require client certificates on a Web site or if you use IAS in Windows Server 2003 http://support.microsoft.com/kb/933430 (The workarounds described in this article can apply to Windows Server 2008 R2 as well.) Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.TechNet Community Support
June 19th, 2012 10:19pm

Kevin, thank you for you reply. I have seen the article. Workaround 1, to delete the certificates on each server is not practical as I have many servers and the issue may occur again with the next certificate update. Workaround 2, to use AD and import trusted certificates is a very time consuming process to figure out which ones are necessary for the correct funtioning of windows. Workaround 3, I am not sure of the security implications of Internet Explorer displaying all the client certificates that are installed on the client computer. Are you aware of a hotfix for Server 2008 R2?
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2012 9:30am

Hi, Thank you for your prompt reply. Please understand that the hotfix in that article increases the Schannel security buffer of Windows Server 2003 from 12,228 bytes to 16k. However, the Schannel security buffer has already been increased to 16k in Windows Server 2008 and Windows Server 2008 R2. Currently no hotfix is available to increase it further. In this situation, I suggest we use the third workaround in that article. Please be assured that it won't cause security problem. Thanks for your understanding and efforts. Best Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here. TechNet Community Support
June 20th, 2012 9:47pm

I will try to use method # 1 on a single server. I am using the following article as a guide on which certificates to keep: http://support.microsoft.com/kb/293781 I will know that the problem is resolved in 1 month as the certificate store is updated on a monthly basis and then generates a warning in the log. If the problem re-occurs, I will post to this thread. Thank you
Free Windows Admin Tool Kit Click here and download it now
June 21st, 2012 10:50am

Hi, Thanks for your feedback. Please feel free to let us know if you need further help during the troubleshooting. Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.TechNet Community Support
June 24th, 2012 11:03pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics