Event ID 60 — AD CS Access Control

Updated: July 8, 2009

Applies To: Windows Server 2008 R2

red

Certification authority (CA) access control permissions ensure that authorized components and users can complete required tasks. Access control errors can identify potential problems associated with insufficient or inappropriate use of permissions.

Event Details

Product: Windows Operating System
ID: 60
Source: Microsoft-Windows-CertificationAuthority
Version: 6.1
Symbolic Name: MSG_E_POSSIBLE_DENIAL_OF_SERVICE_ATTACK
Message: Active Directory Certificate Services refused to process an extremely long request from %1. This may indicate a denial-of-service attack. If the request was rejected in error, modify the MaxIncomingMessageSize registry parameter via
certutil -setreg CA\MaxIncomingMessageSize <bytes>.

Unless verbose logging is enabled, this error will not be logged again for 20 minutes.

Resolve

Address an attempt to submit a long certificate request

Extremely long certificate requests can represent an attempt to launch a denial-of-service attack.

The source should be identified in the event log message. You should also review information about all failed certificate requests to detect whether there have been other unusual certificate requests.

To address this potential problem:

  • Review failed certificate requests to determine whether or not the failed request is from a known or trusted source.
  • If the request was rejected in error, modify the MaxIncomingMessageSize setting in the registry to allow larger certificate requests.
  • If the request was not rejected in error, identify the source of the request and prevent requests from being submitted from that source.

To perform these procedures, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

Review failed certificate requests

To review failed certificate requests:

  1. COn the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
  2. Examine the failed requests contained in the Failed Requests folder and determine wether it came from a trusted source.
  3. You can also open a command prompt window and run the following command: certutil -view LogFail.
  4. If the request was from a legitimate source but rejected because it was too large, you can increase the maximum message size using the following procedure, or have the certificate requester submit a new certificate request.

Modify maximum message size

The default maximum message size setting is 10,000 bytes. If during your review of failed certificate requests in the previous procedure you detect legitimate certificate requests that were rejected because they exceeded this value, consider increasing this registry setting to a value that will allow similar requests to succeed.

To modify the maximum message size:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

  1. On the computer hosting the CA, click Start, type cmd and press ENTER.
  2. Type certutil -setreg CA\MaxIncomingMessageSize <bytes> and press ENTER.

Verify

To perform this procedure, you must have membership in local Administrators on the computer hosting the certification authority (CA), or you must have been delegated the appropriate authority.

To confirm that the CA logon context is correct:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Services.
  2. Confirm that the word Started  appears in the Status belong for the Active Directory Certificate Services service.

Related Management Information

AD CS Access Control

Active Directory Certificate Services

Community Additions

ADD
Show: