Source

Level

Description

When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the  certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

Comments

 

See ME933430 for information about this event.

On Windows 2003 server with IIS, delete some of the trusted root certificates in the trusted root store for the machine that you are not using in your environment.

1. Add the Certificates snap-in to the Microsoft Management Console.

a. Click the Start button, click Run, type mmc, and click OK.
b. Click the File menu, and select Add\Remove Snap-in.
c. Click the Add button, then select the Certificates snap-in and click Add
d. Select Computer Account and click Next
e. Click Finish.
f. Click Close.
g. Click OK.

2. Expand Certificates (Local Computer).
3. Expand Trusted Root Certification Authorities.
4. Click on Certificates.
5. Backup and then delete trusted root certificates that you are not using in your environment.

NOTE: There are some root certificates that are required by Windows. See ME293781 to see the trusted root certificates that are required by Windows Server 2003, by Windows XP, and by Windows 2000.

Note In Windows Server 2003, the issuer list cannot be greater than 0x3000. When you update root certificates, the list of trusted CAs increases significantly in size and may cause the list to grow too long. The list then gets truncated and may cause problems with authorization. See ME931125 for details.