Skip to main content

TLS 1.2 Communication Problems with Excessive Root Certificates

Applies to

SecureAuth IdP 6.0.0 or later running on Windows Server 2003 or greater.

Introduction

This article describes an issue that can prevent web clients from connecting with a SecureAuth IdP Appliance over TLS 1.2, and how to resolve it.

Discussion

Cause

If the Windows Trusted Root Certification Authorities container grows too large, then it can exceed the Schannel security package limit. Currently, the maximum size of the trusted certificate authorities list that the Schannel security package supports is 16 kilobytes (KB). Having a large amount of Third-party Root Certificate Authorities will go over the 16 KB limit, which cause TLS communication issues.

Symptoms

If this condition is present on an appliance, then the following log entry is seen:

Log

System

Source

Schannel

Event ID

36885

Message

When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

Resolution

To resolve this issue, the Root Certification Authorities container must be pared down to stay within the 16 KB Schannel limit. Make sure to leave the following certificates in place so operation of the SecureAuth IdP Appliance is not impacted:

Warning

Removing a critical root certificate could negatively impact the operation of SecureAuth IdP, Microsoft IIS, or Windows Server

SecureAuth strongly recommends backing up the SecureAuth IdP Appliance before modifying the Trusted Root Certification Authorities container

1. Certificates required by the Windows Server Operating System (OS) to properly operate

2. The SecureAuth Root Certificates

  • SecureAuth Root Certificate Authority

  • SecureAuth G3 Root Certificate Authority

  • MFA Root 3

3. Any root certificates used by the organization

In this section: