Today I hit an issue at a customer where Communicator could not login with TLS. In the event log and a Communicator trace we would see 0x80090308 errors, which translates to SEC_E_INVALID_TOKEN. Also, communication between the existing OCS R1 and the new R2 server would fail in one direction – R1 users could not reply to R2 IMs. The R1 servers reported the same 80090308 error.
Log Name: Application
Date: 5/6/2009 9:32:16 AM
Event ID: 5
Task Category: None
Computer: <Computer Name>
Communicator could not connect securely to server <ocspool> because the certificate presented by the server was not trusted due to validation error 0x80090308. The issuing certificate authority (CA) for the server's certificate may not be locally trusted by the client, the certificate may be revoked, or the certificate may have expired.
Upon further investigation we discovered the following error in the System event log of the R2 server:
Event Type: Warning
Event Source: Schannel
Event Category: None
Event ID: 36885
Time: 8:42:26 AM
Computer: <Server Name>
When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.
The Trusted Root certificate store had almost 300 certificates listed because this customer had been diligent in applying the root certificate updates that are published periodically. We deleted a large number of certificates that were not needed and ended up with around 120. Once this was done all communication completed successfully.
Subsequently we discovered a KB article related to IAS that also addresses this issue:
We did not contact PSS to acquire the hotfix so I can’t speak to whether or not it would have corrected the issue.