——– Original Message ——–
Subject: Warning: Problems With Root Certificates Update, KB931125
Date: Thu, 01 Mar 2007 06:30:23 -0800
From: spm <nospam@coco.dot.co.dot.uk>
Organization: CoCo Systems Ltd.
Newsgroups: microsoft.public.windows.server.sbs

We updated our SBS 2003 yesterday with the KB931125 “Root Certificates
Update” dated 27th Feb. 2007, and now after rebooting we encounter
schannel error 36885 in the event log, which states:

“When asking for client authentication, this server sends a list of
trusted certificate authorities to the client. The client uses this
list to choose a client certificate that is trusted by the server.
Currently, this server trusts so many certificate authorities that the
list has grown too long. This list has thus been truncated. The
administrator of this machine should review the certificate authorities
trusted for client authentication and remove those that do not really
need to be trusted.”

There is little info of help around the ‘net that I can find (and none
from MS at all), except that this issue has caused problems for a
number of W2K3-based servers whereby clients can no longer
authenticate. We don’t seem to be experiencing such errors, but it
appears that some of you may well. This update is not removable, so it
seems the only resolution appears to be to manually delete unwanted CAs
from the server’s Trusted Root CAs list (say, unused ‘foreign’ ones).

Hopefully MS will come up with a fix for this soon.


Both Owen and Dave saw this and Dave reported:

This turned out to be a horked up Domain Controller certificate on the SBS.  I deleted a fair number of certs, and the schannel error seems to have gone away, but wireless still would not work.  I noticed that the certificate properties on some of the client PCs appeared not to match the cert on the server, so I deleted the domain controller cert from a client.  Auto enrollment did not put it back, but it didn’t log any errors either. 


I deleted the cert on the server and recreated it with the same name, at which point everything just started working – the client where I had deleted the original cert auto enrolled the new one, and the rest of the clients just connected.  (When you delete the cert, that changes the IAS policy to point to the next cert on the list, so you do have to go back into the RADIUS policy in IAS and fix that).


Interestingly, after I deleted the expired certificates on the SBS, crypt32 went out and updated the list, including that it put back one of the expired certificates.  (I’m sure I had deleted that one, and crypt32 logged when it added it back in).  Apparently it checks whenever the Certificate Services service starts.  So it appears that you can do whatever you want with those root certs, and if you delete one that’s on the current list, crypt32 will put it back as long as the server is configured for root certificate update.  Not sure how much I’d want to bet on being able to delete those with impunity, but that’s what it looks like.


This would have been a lot easier if the schannel error messages were more descriptive or better documented.


Note In Windows Server 2003, the issuer list cannot be greater than 0x3000. When you update root certificates, the list of trusted CAs increases sigficantly in size and may cause the list to grow too long. The list then gets truncated and may cause problems with authorization. This behavior may also cause schannel event ID 36885.

Source : http://support.microsoft.com/kb/931125


On the Windows 2003 server with IIS, delete some of the trusted root certificates in the trusted root store for the machine that you are not using in your environment.


1. Add the Certificates snap-in to the Microsoft Management Console.


a. Click the Start button, click Run, type mmc, and click OK.

b. Click the File menu, and select Add\Remove Snap-in.

c. Click the Add button, then select the Certificates snap-in and click Add

d. Select Computer Account and click Next

e. Click Finish.

f. Click Close.

g. Click OK.


2. Expand Certificates (Local Computer).

3. Expand Trusted Root Certification Authorities.

4. Click on Certificates.

5. Backup and then delete trusted root certificates that you are not using in your environment.


NOTE: There are some root certificates that are required by Windows. Please review the following article for more information:


293781 Trusted root certificates that are required by Windows Server 2003, by Windows XP, and by Windows 2000



One Response to Warning: Problems With Root Certificates Update, KB931125

  1. Andy says:

    I got the same message about a week ago on my Windows Home Server and logged a bug report in the WHS tracking database as I couldn’t find any details on it. Not had any response back from them though but as a new WHS server I wouldn’t have thought it would need many server certificates anyway (and there are no other dc’s to connect with.