Microsoft KB Archive/275528

= Windows Server 2003 Does Not Use the DNS Name as Certificate Subject =

Article ID: 275528

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Advanced Server, Limited Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-



This article was previously published under Q275528



SUMMARY
In Windows 2000, the Domain Name System (DNS) name of a computer is embedded as the subject in computer certificates used for computer and domain controller authentication. Windows 2000-based computers with DNS names that are longer than 64 characters are not automatically enrolled for computer certificates in Windows 2000-based and Windows Server 2003-based Enterprise Certificate Authorities.

In Windows Server 2003, the DNS name of the computer is not embedded as the subject. Therefore, Windows Server 2003-based computers do not encounter this problem.



MORE INFORMATION
The DNS name appears in the common name of the subject name in certificates that are issued by Windows 2000-based Certificate Authorities. This is an option that is supported by many Secure Socket Layer (SSL) clients. The common name of the subject name is defined in the X.500 specification to have a maximum length of 64 characters, which conflicts with the DNS name-length limit of 255 characters. By editing the template in Windows Server 2003, it is possible to reinsert the subject field. However, this still does not function with DNS names that are longer than 64 characters.

The following event is generated if the automatic enrollment of a computer does not succeed on a Windows 2000-based computer because of a DNS name that is too long:

Event Type: Warning

Event Source: Winlogon

Event Category: None

Event ID: 1010

Date: 9/27/2000

Time: 2:30:41 PM

User: N/A

Computer:

Description:

Automatic enrollment against the certification authority  for a certificate of type DomainController has failed. (0x80094001) The request subject name is invalid or too long. Another certification authority will be tried.

Keywords: kbcertservices kbinfo KB275528

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.