TLS 1.2 Communication Problems with Excessive Root Certificates

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth IdP Version affectedAll


    This article describes an issue that can prevent web clients from connecting with a SecureAuth IdP Appliance over TLS 1.2, and how to resolve it.

    If the Windows Trusted Root Certification Authorities container grows too large, then it can exceed the Schannel security package limit. Currently, the maximum size of the trusted certificate authorities list that the Schannel security package supports is 16 kilobytes (KB). Having a large amount of Third-party Root Certificate Authorities will go over the 16 KB limit, which cause TLS communication issues.



    If this condition is present on an appliance, then the following log entry is seen:

    Log System
    Source Schannel
    Event ID 36885



    When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.




    To resolve this issue, the Root Certification Authorities container must be pared down to stay within the 16 KB Schannel limit. Make sure to leave the following certificates in place so operation of the SecureAuth IdP Appliance is not impacted:

    NOTE: Removing a critical root certificate could negatively impact the operation of SecureAuth IdP, Microsoft IIS, or Windows Server

    SecureAuth strongly recommends backing up the SecureAuth IdP Appliance before modifying the Trusted Root Certification Authorities container

    1. Certificates required by the Windows Server Operating System (OS) to properly operate

    2. The SecureAuth Root Certificates

    • SecureAuth Root Certificate Authority
    • SecureAuth G3 Root Certificate Authority
    • MFA Root 3

    3. Any root certificates used by the organization


    Related Content:

    0 out of 0 found this helpful



    Please sign in to leave a comment.