Microsoft KB Archive/933430

= Clients cannot make connections if you require client certificates on a Web site or if you use IAS in Windows Server 2003 =

Article ID: 933430

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Standard x64 Edition

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
Consider the following scenarios.

Scenario 1

 * You have a Microsoft Internet Information Services (IIS) 6.0 Web site that uses the Secure Sockets Layer (SSL) protocol to encrypt client connections.
 * The Require client certificates option is selected in the Secure Communications dialog box of the  Properties dialog box.

In this scenario, you may experience the following symptoms:  Clients cannot connect to the Web site successfully.  The following Warning event is logged on the Microsoft Windows Server 2003-based computer that hosts the Web site: Event Type: Warning

Event Source: Schannel

Event Category: None

Event ID: 36885

Date:

Time:

User:

Computer:

Description: When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted. 

Note By default, Secure Channel (Schannel) Warning events are not logged. For more information about how to configure logging for Schannel events, see the &quot;More Information&quot; section.

Scenario 2
You use a Microsoft Windows Server 2003-based computer that is running Microsoft Internet Authentication Service (IAS) to support authentication for a wireless network. In this scenario, you may experience the following symptoms:  The IAS server cannot successfully authenticate the clients. Therefore, wireless client computers cannot connect to the wireless network successfully.  A Warning event that resembles the following is logged on the IAS server: Event Type: Warning

Event Source: IAS

Event Category: None

Event ID: 2

Date:

Time:

User:

Computer:

Description: User jsmith@contoso.com was denied access.

Fully-Qualified-User-Name = CONTOSOS\jsmith NAS-IP-Address = 10.20.30.40

NAS-Identifier = WL1234-1

Called-Station-Identifier = 0016.462c.1650

Calling-Station-Identifier = 0012.f05b.a795

Client-Friendly-Name = WL1234-1

Client-IP-Address = 10.20.30.40

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 10037 Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name = Wireless Network Access Policy

Authentication-Type = EAP

EAP-Type = Smart Card or other certificate

Reason-Code = 266

Reason = The message received was unexpected or badly formatted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data: 0000: 26 03 09 80 &..?   An event that resembles the following Warning event may be logged on the IAS server: Event Type: Warning

Event Source: Schannel

Event Category: None

Event ID: 36885

Date:

Time:

User:

Computer:

Description: When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted. 

Note By default, Secure Channel (Schannel) Warning events are not logged. For more information about how to configure logging for Schannel events, see the &quot;More Information&quot; section.

<div class="cause_section">

CAUSE
This problem may occur if the Web server or the IAS server contains many entries in the trusted root certification list. The server sends a list of trusted certificate authorities to the client if the following conditions are true:
 * The server uses the Transport Layer Security (TLS)/SSL protocol to encrypt network traffic.
 * Client certificates are required for authentication during the authentication handshake process.

This list of trusted certificate authorities represents the authorities from which the server can accept a client certificate. To be authenticated by the server, the client must have a certificate that is present in the chain of certificates to a root certificate from the server's list.

Currently, the maximum size of the trusted certificate authorities list that the Schannel security package supports is 12,228 (0x3000) bytes.

Schannel creates the list of trusted certificate authorities by searching the Trusted Root Certification Authorities store on the local computer. Every certificate that is trusted for client authentication purposes is added to the list. If the size of this list exceeds 12,228 bytes, Schannel logs Warning event ID 36855. Then, Schannel truncates the list of trusted root certificates and sends this truncated list to the client computer.

When the client computer receives the truncated list of trusted root certificates, the client computer may not have a certificate that exists in the chain of a trusted certificate issuer. For example, the client computer may have a certificate that corresponds to a trusted root certificate that Schannel truncated from the list of trusted certificate authorities. Therefore, the IAS server cannot authenticate the client.

<div class="resolution_section">

Hotfix information
A supported hotfix is now available from Microsoft. However, it is intended to correct only the problem that is described in this article. Apply it only to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows Server 2003 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Customer Support Services to obtain the hotfix. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Prerequisites
To apply this hotfix, you must have Windows Server 2003 Service Pack 1 (SP1) or Windows Server 2003 Service Pack 2 (SP2) installed on the computer. For more information about how to obtain the latest service pack for Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003

Restart requirement
You have to restart the computer after you apply this hotfix.

Hotfix replacement information
This hotfix does not replace any other hotfixes.

File Information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2003, Itanium-based versions with SP2
<div class="workaround_section">

WORKAROUND
To work around this problem, use one of the following methods, as appropriate for your situation.

Method 1: Remove some trusted root certificates
If some of the trusted root certificates are not used in your environment, remove them from the Web server or from the IAS server. To do this, follow these steps:
 * 1) Click Start, click Run, type mmc, and then click OK.
 * 2) On the File menu, click Add/Remove Snap-in, and then click Add.
 * 3) In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
 * 4) Click Computer account, click Next, and then click Finish.
 * 5) Click Close, and then click OK.
 * 6) Under Console Root in the Microsoft Management Console (MMC) snap-in, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
 * 7) Remove trusted root certificates that you do not have to have. To do this, right-click a certificate, click Delete, and then click Yes to confirm the removal of the certificate.

Note There are some root certificates that are required by Windows. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

293781 Trusted root certificates that are required by Windows Server 2003, by Windows XP, and by Windows 2000

Method 2: Configure Group Policy to ignore the list of trusted certification authorities on the local computer
If the IAS server or the Web server is a member of a domain, you can create a policy to cause the server to ignore the the list of trusted certification authorities on the local computer. When you apply this policy, affected servers and clients only trust certificates that are in the Enterprise Root Certification Authorities store. Therefore, you do not have to modify the individual computers.

Note This method works only if all the client computers are from the same Active Directory directory service domain or Active Directory forest. Group policy is not applied to computers that are not in the same Active Directory forest.

To create this policy, follow these steps.

Step 1: Create a Group Policy object
<ol style="list-style-type: lower-alpha;"> Log on to a domain controller, and then start the Active Directory Users and Computers tool. To do this, click Start, click Run, type dsa.msc, and then click OK.</li> Right-click the container in which you want to configure the Group Policy object, and then click Properties. For example, right-click the domain container, or right-click an organizational unit container.</li> Click the Group Policy tab, and then click New.</li> Type a descriptive name for the policy, and then press ENTER.</li> Click Edit to start the Group Policy Object Editor.</li> Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click Public Key Policies.</li> Right-click Trusted Root Certification Authorities, and then click Properties.</li> Click Enterprise Root Certification Authorities, and then click OK.</li> Exit the Group Policy Object Editor.</li> Click OK to close the  Properties dialog box.</li></ol>

Step 2: Add root certificates to the &quot;Trusted Root Certification Authorities&quot; Certificate store
<ol style="list-style-type: lower-alpha;"> Export any needed root certificates from the local computer store of the appropriate server. This includes root certificates for internal certification authorities (CAs) and root certificates for public certification authorities that your organization requires.</li> Log on to a domain controller, and then start the Active Directory Users and Computers tool.</li> Right-click the container that contains the Group Policy object that you created in the &quot;Step 1: Create a Group Policy object&quot; section, and then click Properties.</li> Click the Group Policy tab, click the Group Policy object, and then click Edit.</li> Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click Public Key Policies.</li> Right-click Trusted Root Certification Authorities', and then click Import.</li> <li>Follow the steps in the Certificate Import Wizard to import the root certificate or the certificates that you exported in step 2a.</li> <li>Exit the Group Policy Object Editor.</li> <li>Click OK to close the  Properties dialog box.</li></ol>

Note There are some root certificates that are required by Windows. You must add these certificates to the policy that you created. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

293781 Trusted root certificates that are required by Windows Server 2003, by Windows XP, and by Windows 2000

Method 3: Configure Schannel to no longer send the list of trusted root certificate authorities during the TLS/SSL handshake process
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

On the server that is running IIS or on the IAS server on which you experience this problem, set the following registry entry to false:

Value name: SendTrustedIssuerList

Value type: REG_DWORD

Value data: 0 (False)

By default, this entry is not listed in the registry. By default, this value is 1 (True). This registry entry controls the flag that controls whether the server sends a list of trusted certificate authorities to the client. When you set this registry entry to False, the server does not send a list of trusted certificate authorities to the client. This behavior may affect how the client responds to a request for a certificate. For example, if Internet Explorer receives a request for client authentication, Internet Explorer displays only the client certificates that appear in the chain of one of the certification authorities that are in the list from the server. However, if the server does not send a list of trusted certificate authorities, Internet Explorer displays all the client certificates that are installed on the client computer.

To set this registry entry, follow these steps: <ol> <li>Click Start, click Run, type regedit, and then click OK.</li> <li>Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

</li> <li>On the Edit menu, point to New, and then click DWORD Value.</li> <li>Type SendTrustedIssuerList, and then press ENTER to name the registry entry.</li> <li>Right-click SendTrustedIssuerList, and then click Modify.</li> <li>In the Value data box, type 0 if that value is not already displayed, and then click OK.</li> <li>Exit Registry Editor.</li></ol>

For more information about the SCHANNEL registry entry, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/library/3f98fdd9-ed64-49f7-9c20-a2d4581dfbea1033.mspx

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
Windows Server 2003 is designed to automatically examine the list of trusted certification authorities on the Microsoft Windows Update Web site when you update root certificates. Then, Windows installs the appropriate root certificate after that certificate is validated by a user's program.

For more information about how Windows updates root certificates, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03mngd/04_s3cer.mspx

Note In Windows Server 2003, the list of certificate authorities cannot exceed 12,228 (0x3000) bytes. When you update root certificates, the list of trusted certificate authorities may increase significantly. Therefore, the list may become too long. In this case, Windows truncates the list. This behavior may cause problems with authorization. In this scenario, you may experience the problem that is described in the &quot;Symptoms&quot; section.

How to configure logging for Schannel events
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To configure Schannel to log Warning events in the System log, set the following registry entry:

Value name: EventLogging

Value type: REG_DWORD

Value data: 0x3

Note A value of 0x3 configures Schannel to log Warning events and Error events.

For more information about how to configure logging for Schannel events, click the following article number to view the article in the Microsoft Knowledge Base:

260729 How to enable Schannel event logging in IIS

<div class="references_section">