Solved

Event ID:  36885 - Schannel

Posted on 2013-12-12
4
2,372 Views
Last Modified: 2013-12-18
My event system log is filling up with the following errors:

Log Name:      System
Source:        Schannel
Date:          12/12/2013 7:40:12 AM
Event ID:      36885
Task Category: None
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      SDCHM400.corp.birkeys.com
Description:
When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.


One of the fixes is to go through the Trusted Root Certification Authorities and remove any hosts that are not needed.  How do I determine what hosts can be removed?  

Is there an alternative fix to this?  I have to be careful as the Exchange server certificates are installed on this machine.
0
Comment
Question by:rudnicke
  • 2
4 Comments
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39715659
Any chance you're using Iphones and SBS (or a self signed cert?)
0
 

Author Comment

by:rudnicke
ID: 39716645
We are using iPhones but not SBS.  We did have a self signed cert in the beginning, but we now have a cert from Godaddy to handle Exchange access.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39716672
I see this all the time on my customers SBS servers where they are using Self Signed Certs.  Unfortunately the iPhone doesn't' require the phone to use SSL to make the connection to Exchange.  

If you're not getting complaints from users, I'd simply ignore it.
0
 
LVL 16

Accepted Solution

by:
cantoris earned 100 total points
ID: 39716768
This can be caused by installing the Trusted Roots Certificates updates on a server whereas it's only designed for clients.

If you look at the list of trusted roots you'll see all kinds of foreign ones you've never heard of.  If you're not visiting sites that are in those countries then those would seem a good place to start reducing the total number!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hallo! I guess almost every Windows Administrator must have got stumped with this question "Where does WINDOWS store a users cached credentials? Every user who had once logged onto a Server/Desktop while it was connected to the domain could sti…
In a hurry?.. scroll down to "HERE's HOW TO DO IT" Section. Greetings All, I was going to post this as question/solution, but its seems more appropriate as an article considering its length.  I felt it important to illucidate all the details c…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now