Jan 06 2013

Powershell: Monitor the trusted root certification authorities store, Event Schannel ID 36885-36887

The root update package KB931125, when applied might break the authentication process on servers using certificate based authentication: This problem was reported for LDAP over SSL authentication on a Domain Controller, IIS authentication on a webserver and IAS authentication on a Radius server (called Network Policy Server under Windows 2008). The symptoms, patch and workarounds of this issue are explained in this KB. The patch is only available under Windows 2003 and the root update package (KB931125) cannot be uninstalled via WSUS once applied.

We had the problem on Network Policy Server, on which the KB931125 added approximately 350 certificates to the computer’s trusted root certification authorities store. This server performs, among other things, WiFi authentication using the MS-ChapV2 protocol. The maximum size of the trusted certificate authorities list that the Schannel security package supports is 12.228 bytes. With 350 certificates we were above the limit: As a result the list of trusted root certificates was truncated and users were unable to authenticate. On the server’s eventlog you could see ID 36885 and 36887 source Schannel reporting the problem:

On this kind of server it could be useful to control what is present on the computer’s trusted root certification authorities store. This PowerShell script compares the content of the trusted root certification authorities store with a reference stored in a CSV file: In order to build the reference CSV file, launch the following commands on a server which will be your reference trusted root certification authorities store:

$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root","LocalMachine")
$store.certificates | select thumbprint, Issuer, Subject | export-csv RefCerts.csv

Once the RefCerts.csv is generated, download the following script and set up a scheduled task on the servers you want to monitor. The script removes the certificates which are not present in the RefCerts.csv file, using the compare-object cmdlet and by comparing each certificate’s thumbprint. If a certificate is present in the RefCerts.csv file but not in the trusted root certification authorities store, the information is logged in the log.txt file: You will have to install it manually or use a GPO.

Just download the script by clicking the link below:

Update: A fix was released by MS 12th January 2013 to correct this issue KB2801679.

This post is also available in: French


  • By Robert, April 26, 2013 @ 1:05 pm

    This is a great script – it solved my problem and it works as designed. Thanks.

  • By ldap389, April 26, 2013 @ 1:43 pm

    Hi Robert,

    You are welcome, have a good WE.

Other Links to this Post

RSS feed for comments on this post. TrackBack URI

Leave a comment


WordPress Themes

Blossom Icon Set

Software Top Blogs