AD LDS and ADAM: Publishing a Certificate Revocation List (CRL) to the Directory Fails
Symptoms
- Publishing a certificate revocation list (CRL) to AD LDS or ADAM fails
- The publishing method could be certutil.exe or a directory synchronization tool
Eventlog
You may see events similar to the following:
Log Name: ADAM (Instance-Name)
Event ID 1216
Source: ADAM [Instance-Name] LDAP
Date: 3/23/2011 9:51:09 AM
Event ID: 1216
Task Category: LDAP Interface
Level: Warning
Keywords: Classic
User: N/A
Computer: DNS-Name
Description:
Internal event: An LDAP client connection was closed because of an error.
Client IP:
192.168.1.5:12345
Additional Data
Error value:
8 Not enough storage is available to process this command.
Internal ID:
c0604cb
Event ID 1535
Log Name: ADAM (Instance-Name)
Source: ADAM [Instance-Name] LDAP
Date: 3/23/2011 9:51:09 AM
Event ID: 1535
Task Category: LDAP Interface
Level: Information
Keywords: Classic
User: ANONYMOUS LOGON
Computer: DNS-Name
Description:
Internal event: The LDAP server returned an error.
Additional Data
Error value:
00000008: LdapErr: DSID-0C0604D1, comment: The server did not have enough resources to process the request, data 0, v1db0
Cause
The CRL is too large to be accepted by the LDAP interface, and the maximum size allowed for the certificateRevocationList attribute is being exceeded as well.
Resolution
You need to make two changes:
- Change the MaxReceiveBuffer size for the AD LDS/ADAM instance to accept a size that is larger than the largest CRL you expect. The default setting is 10MB.
- Change the RangeUpper value for the certificateRevocationList attribute in the AD LDS/ADAM schema to a size that is larger than the largest CRL you expect. The default setting is 10MB.