Tag Archives: ldap


The recent root certificates update from Microsoft ( can break your LDAP SSL authenticate if applied.

The update added some 300+ additional certificates to your server and if you apply this to your DC which is also used as an LDAP SSL server, it can cause authentication issue with the client.

This issue is explained inĀ, which is dumb and should be mentioned together in the original KB.

In short this is the issue:

This list of trusted certificate authorities represents the authorities from which the server can accept a client certificate. To be authenticated by the server, the client must have a certificate that is present in the chain of certificates to a root certificate from the server’s list.

Currently, the maximum size of the trusted certificate authorities list that the Schannel security package supports is 12,228 (0x3000) bytes.

Schannel creates the list of trusted certificate authorities by searching the Trusted Root Certification Authorities store on the local computer. Every certificate that is trusted for client authentication purposes is added to the list. If the size of this list exceeds 12,228 bytes, Schannel logs Warning event ID 36855. Then, Schannel truncates the list of trusted root certificates and sends this truncated list to the client computer.

So if the certificate is at the end of the chain list and is truncated, authentication will be a problem. Check the KB933430 for workaround

KB931125: Root certificate update causes issue with LDAP SSL authentication


Posted by on October 23, 2012 in Windows


Tags: ,