Windows Server 2003 Does Not Use the DNS Name as Certificate Subject (275528)

SUMMARY

In Windows 2000, the Domain Name System (DNS) name of a computer is embedded as the subject in computer certificates used for computer and domain controller authentication. Windows 2000-based computers with DNS names that are longer than 64 characters are not automatically enrolled for computer certificates in Windows 2000-based and Windows Server 2003-based Enterprise Certificate Authorities.

In Windows Server 2003, the DNS name of the computer is not embedded as the subject. Therefore, Windows Server 2003-based computers do not encounter this problem.

MORE INFORMATION

The DNS name appears in the common name of the subject name in certificates that are issued by Windows 2000-based Certificate Authorities. This is an option that is supported by many Secure Socket Layer (SSL) clients. The common name of the subject name is defined in the X.500 specification to have a maximum length of 64 characters, which conflicts with the DNS name-length limit of 255 characters. By editing the template in Windows Server 2003, it is possible to reinsert the subject field. However, this still does not function with DNS names that are longer than 64 characters.

The following event is generated if the automatic enrollment of a computer does not succeed on a Windows 2000-based computer because of a DNS name that is too long:

Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 9/27/2000
Time: 2:30:41 PM
User: N/A
Computer: Computername
Description:
Automatic enrollment against the certification authority CertificateAuthorityName for a certificate of type DomainController has failed. (0x80094001) The request subject name is invalid or too long. Another certification authority will be tried.