none
Certificate Services Client: Credential Roaming has failed. Error code 1381 RRS feed

  • Question

  • I'm getting this error when user certificates try to roam, but only for our IT administrator accounts.  Not domain admins, but delegated rights as needed.  And our actual domain admin accounts (very few) roam certificates properly.

    The certificates don't roam at all from AD to the local computer, and this error is generated.  Schema is 2008 R2, single domain, single forest.  Clients tested with multiple accounts are Windows 7, 8.1, 10, Server 2008 R2, Server 2012 R2.

    If I remove all published certificates from the AD account, the next logon will generate a new autoenroll certificate, and that will get published to the AD account.  But it won't roam to any clients after that.

    Also, we recently replaced our PKI and all new certificates are sha256 2048 bit.  But I do not know if this problem was occurring before the new PKI.

    Regular users are roaming certificates with no problem, so this doesn't actually affect anything important yet.  But we are rolling out 802.1x authentication on many of our wired networks this year, and this could potentially become an issue.

    I can't find information on this error so far.  Does anyone know what this means, so I can know where to start troubleshooting?

    Log Name:      Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
    Source:        Microsoft-Windows-CertificateServicesClient-CredentialRoaming
    Date:          6/16/2016 8:29:23 AM
    Event ID:      1001
    Task Category: None
    Level:         Error
    Keywords:     
    User:          xxxx
    Computer:      xxxx
    Description:
    Certificate Services Client: Credential Roaming has failed. Error code 1381
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-CertificateServicesClient-CredentialRoaming" Guid="{89A2278B-C662-4AFF-A06C-46AD3F220BCA}" />
        <EventID>1001</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x4000000000000000</Keywords>
        <TimeCreated SystemTime="2016-06-16T13:29:23.186544800Z" />
        <EventRecordID>16</EventRecordID>
        <Correlation />
        <Execution ProcessID="3408" ThreadID="2808" />
        <Channel>Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational</Channel>
        <Computer>xxxx</Computer>
        <Security UserID="xxxx" />
      </System>
      <UserData>
        <Err xmlns="http://www.microsoft.com/Windows/CertificateServicesClient/CredentialRoaming/Event">
          <ErrorCode>1381</ErrorCode>
        </Err>
      </UserData>
    </Event>

    Thursday, June 16, 2016 1:59 PM

Answers

  • C:\Users\Mark>certutil -error 1381
    0x565 (WIN32: 1381 ERROR_TOO_MANY_SECRETS) -- 1381 (1381)
    Error message text: The maximum number of secrets that may be stored in a single system has been exceeded.
    CertUtil: -error command completed successfully.

    What is the GPO for Credential Roaming set to? How many credentials are allowed to be roamed? 


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

    • Marked as answer by Jason224 Thursday, June 16, 2016 5:45 PM
    Thursday, June 16, 2016 3:19 PM

All replies

  • C:\Users\Mark>certutil -error 1381
    0x565 (WIN32: 1381 ERROR_TOO_MANY_SECRETS) -- 1381 (1381)
    Error message text: The maximum number of secrets that may be stored in a single system has been exceeded.
    CertUtil: -error command completed successfully.

    What is the GPO for Credential Roaming set to? How many credentials are allowed to be roamed? 


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

    • Marked as answer by Jason224 Thursday, June 16, 2016 5:45 PM
    Thursday, June 16, 2016 3:19 PM
  • Thanks, that gives me some clues on where to look.

    Maximum tombstone credentials lifetime in days: 60

    Maximum number of roaming credentials per user: 2000

    Maximum size (in bytes) of a roaming credential: 65535

    Roam stored user names and passwords: disabled

    All options on the Filters tab are disabled.

    The user account I'm testing with only has one certificate in the AD account.  Although it used to have several, which were deleted from the AD account, because they were only used for some testing and no longer needed.

    Maybe I'll try increasing one or more of these parameters and see what happens.

    Thursday, June 16, 2016 3:32 PM
  • Thanks Mark, your response gave me the bit of info I needed to figure this out.

    Using this command I was able to determine that the account I'm testing with contains 2070 credentials.

    ldifde.exe -s %LOGONSERVER% -f cscverify.ldf -r "(cn=USERNAME)" -l msPKIAccountCredentials,msPKIRoamingTimeStamp,msPKIDPAPIMasterKeys

    Other problem accounts (IT admin accounts) are similar, many of them close to 3000.  Regular users are MUCH lower.  Older IT non-admin user accounts are up to 1300 or so, but nobody outside of IT seems to be over a few hundred.

    Now I need to decide if I want to purge those credentials or increase the value of "Maximum number of roaming credentials per user".  I'll probably just increase the value in a GPO specific to this set of user accounts.

    Thursday, June 16, 2016 5:03 PM
  • Jason - how did you find the number of shared credentials from the LDF file?  When I open it up in notepad, it just shows a bunch of "data" but I did not see anywhere that suggests a "count" of the credentials.  Unless I missed something.

    I am an IT admin and my roaming credentials no longer works.  I am getting the error code 1381 as well, but I would like to know how far beyond the 2000 max credentials I have gone.

    Thanks

    NK


    • Edited by NJK-Work Tuesday, June 25, 2019 9:55 PM
    Tuesday, June 25, 2019 9:47 PM