• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1962
  • Last Modified:

Crypt32 Error in Event Viewer

Hi

I have this error on several Windows Server 2003 machines. I've updated the certificate list with the certificate cab file shown in the error log and it still occurs. Can anyone say they've seen it before and know what the cause is?

Event Type:                            Error
Event Source:      crypt32
Event Category:      None
Event ID:                           11
Date:            04/01/2010
Time:            09:29:54
User:            N/A
Computer:                            SERVER123
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain could not be built to a trusted root authority.
0
AdoBeebo
Asked:
AdoBeebo
  • 2
1 Solution
 
ParanormasticCryptographic EngineerCommented:
Sounds like it is having problems doing windows update to update the root certificate list accepted by Microsoft.  To download this manually, see this KB article, which updates every few months to reflect the current list:
http://support.microsoft.com/kb/931125

It may be that the server never got updated with the new MS root cert and so is having problems, or there could be a number of other issues.  Either way, this should fix it for now at least and quite possibly permanently, although it would be tough to say until the next update in a few months.

You could try downloading the last root certificate update to be more confident, which would be from May 09:
http://www.microsoft.com/downloads/details.aspx?FamilyID=f814ec0e-ee7e-435e-99f8-20b44d4531b0&displaylang=en

The current update is from Sept 09 - if updating the root store to a more current state is the fix, the May version should be good enough to confirm that by updating to the Sept 09 version, which will include the Startcom root (the first free SSL certificate provider).
0
 
AdoBeeboAuthor Commented:
I've tried updating the server with the downloaded package but it hasn't helped this time. The errors remain. This is a scanning server and scans are coming through very slowly (around 2-3 minutes each instead of 10-15 seconds). The scanners themselves look busy during this wait as if there is a delay in communication.
The machine was disjoined from the network last night and rejoined and the errors stopped but began again this morning when scan jobs began to go through. However that is the only correlation as there is not a Crypt32 error for every attempt to scan. Instead it looks like there are several Crypt32 errors per scan attempt starting shortly after an attempt to scan (under a minute) which eventually hits the event threshold and then there are no errors for an hour. So sometimes if the threshold is reached there is no Crypt32 error but the scanning is still just as slow.
0
 
ParanormasticCryptographic EngineerCommented:
Do you normally update via windows update?  if you normally patch manually then turn off windows update.  you can also try changing the windows update from 'recommended' to 'critical/high' for patches to install - root updates are recommended.

There seems to be a few of these coming up lately, the MS root store has gotten too big for 2003.  Removing some of the extraneous roots from the root store may help.  Similar post:
http://beta.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_25018147.html
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now