What?!? Too many certificates?

AngryCerts

Update: There’s a Microsoft KB Article on this subject: TLS client authentication fails between Unified Communications peers with a logged Schannel warning

So when running an SSL WCF (Windows Communication Foundation) web service you may run into this error when connection with your client:

The HTTP request was forbidden with client authentication scheme 'Anonymous'.

But you’ve checked everything and the certificates are correct, everything looks good it even works when you publish the code on other machines. So what’s wrong? Well have you checked your event log? You might have too many trusted root certificates!

So filter your System logs to only include Schannel entries:

SChannel Filter

 

And look for entries that mention this:

When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

TooManyCerts

 

Notice this part:

This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

That means you have too many certificates in your “Trusted Root Certification Authorities” and the one you are using is relying on a root certificate that is in the truncated portion of the list. Delete the root certificates you don’t need and your client should work again!

Leave a Reply