Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Event ID:  36885 - Schannel

Posted on 2013-12-12
4
Medium Priority
?
2,736 Views
Last Modified: 2013-12-18
My event system log is filling up with the following errors:

Log Name:      System
Source:        Schannel
Date:          12/12/2013 7:40:12 AM
Event ID:      36885
Task Category: None
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      SDCHM400.corp.birkeys.com
Description:
When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.


One of the fixes is to go through the Trusted Root Certification Authorities and remove any hosts that are not needed.  How do I determine what hosts can be removed?  

Is there an alternative fix to this?  I have to be careful as the Exchange server certificates are installed on this machine.
0
Comment
Question by:rudnicke
  • 2
4 Comments
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39715659
Any chance you're using Iphones and SBS (or a self signed cert?)
0
 

Author Comment

by:rudnicke
ID: 39716645
We are using iPhones but not SBS.  We did have a self signed cert in the beginning, but we now have a cert from Godaddy to handle Exchange access.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39716672
I see this all the time on my customers SBS servers where they are using Self Signed Certs.  Unfortunately the iPhone doesn't' require the phone to use SSL to make the connection to Exchange.  

If you're not getting complaints from users, I'd simply ignore it.
0
 
LVL 16

Accepted Solution

by:
cantoris earned 300 total points
ID: 39716768
This can be caused by installing the Trusted Roots Certificates updates on a server whereas it's only designed for clients.

If you look at the list of trusted roots you'll see all kinds of foreign ones you've never heard of.  If you're not visiting sites that are in those countries then those would seem a good place to start reducing the total number!
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Log files are useful in diagnosing and repairing problems.  This is a list of common log files and their standard locations that I've compiled.   While this is not exhaustive, it is a pretty good list that I've found to be useful.  I may update it f…
This article describes how to set permissions to allow a limited-permissions user to start and stop a particular System Service.   It is always best to give users only the permissions that they need to perform their job, so tweaking particular permi…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question