Monday, August 23, 2010

Event ID: 36885 and the Trusted Root Certificates (OCS2007/CS2010)

Some of you may have needed (or wanted) to install the latest Root Certificate Update from May 2010 on your OCS Edge server and noticed afterward you can't communicate with the outside world or you've seen intermittent issues with connectivity (Audio/Video/Desktop Sharing/Live Meeting/etc).

May 2010 Root Certificate Updates: http://www.microsoft.com/downloads/details.aspx?familyid=E4F9B573-66D7-4DDA-95D5-26C7D0F6C652&displaylang=en

The latest update adds quite a few new issuers to your local trusted certificate store of the OS. This causes issues with applications like OCS because there appears to be a limit with the number of certificates sent by the server. The remaining list is truncated and if your issuer is on the remainder, you get no connectivity, or in some cases, connectivity with some partners and none with others.

Am I affected?
Enable logging for 'schannel' events as follows:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel


Value name: EventLogging
Value type: REG_DWORD
Value data: 0x3

Look for EventID: 36885 in Event Viewer. The description should read as follows:
"When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted."
How do I fix it?
There are two ways to resolve this issue:

Method 1: (recommended)
  • Click Start, click Run, type regedit, and then click OK.
  • Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
  • On the Edit menu, point to New, and then click DWORD Value. Type SendTrustedIssuerList, and then press ENTER to name the registry entry.
  • Right-click SendTrustedIssuerList, and then click Modify.
  • In the Value data box, type 0 if that value is not already displayed, and then click OK.
  • Exit Registry Editor
Method 2:
  • Click Start, click Run, type mmc, and then click OK.
  • On the File menu, click Add/Remove Snap-in, and then click Add.
  • In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
  • Click Computer account, click Next, and then click Finish.
  • Click Close, and then click OK.
  • Under Console Root in the Microsoft Management Console (MMC) snap-in, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
  • Remove trusted root certificates that you do not have to have. To do this, right-click a certificate, click Delete, and then click Yes to confirm the removal of the certificate.
NOTE: Use caution when removing certificates here. Some certificates are required by Windows. Use the above recommended method if you don't know what to remove. Be careful!

Microsoft Reference: http://support.microsoft.com/kb/933430

No comments:

Post a Comment