Assume the following scenario:
- The Certification Authority cannot issue certificates and/or
- The Certification Authority cannot issue revocation lists.
- At least one of the following error messages is logged:
Event ID: 53 (Microsoft-Windows-CertificationAuthority)
Active Directory Certificate Services denied request 12345 because An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions. 0x8009400f (-2146877425 CERTSRV_E_NO_DB_SESSIONS). The request was for CN=Rudi Ratlos. Additional information: Denied by Policy Module
Event ID: 130 (Microsoft-Windows-CertificationAuthority)
Active Directory Certificate Services could not create a certificate revocation list. An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions 0x8009400f (-2146877425). This may cause applications that need to check the revocation status of certificates issued by this CA to fail. You can recreate the certificate revocation list manually by running the following command: "certutil -CRL". If the problem persists, restart Certificate Services.
Both errors can occur if too many concurrent sessions are active on the certification authority database. Each transaction performed by the certification authority itself corresponds to a database session, as do calls with certutil.exe and other applications against the certification authority database.
The maximum number of concurrent accesses to the certification authority database can be configured via two registry values below the following key:
HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\
| Value | Default value | Description |
|---|---|---|
| DBSessionCount | 0x64 (100) since Windows Server 2008 | Concept of the underlying JET database. Determines the JET_paramMaxSessions parameter which the CA service sets on the database. If no more sessions are available JetBeginSession fail with the error JET_errOutOfSessions. |
| DBMaxReadSessionCount | Not set. Determined from DBSessionCount divided by 10. | Certification authority concept. Determines the maximum number of simultaneous reading (ICertView interface) Database Sessions. |
Both values should only be changed if there is a specific need. It makes more sense to determine and eliminate the cause of the many open database sessions.
Preferably, the DBSessionCount value should be adjusted. An increase to approx. 250 to 500 should enable the simultaneous processing of approx. 1,000 certificate requests per second.
Setting/changing DBMaxReadSessionCount is usually not useful, since it is automatically determined based on the value of DBSessionCount.
Changing the values becomes effective only after restarting the certification authority service.
Also, opening (or leaving open in an inactive session) the Certificate Authority Management Console increases the number of active (read) database sessions.
The number of active database sessions can also be determined by Disabling the "Windows Default" Exit Module (if it is not used) can be reduced.
Both values generate the same error code when exceeded, regardless of which one was actually exceeded.
Related links:
External sources
- JetBeginSession Function (Microsoft)
- ADCS sessions (Microsoft Technet Forums)
- Tweaking ADCS performance (Microsoft)
- Tuning CA Database Performance (Microsoft)
- ICertView interface (certview.h) (Microsoft)
English 
Deutsch
3 thoughts on “Die Ausstellung von Zertifikaten oder Sperrlisten schlägt fehl mit Fehlercode CERTSRV_E_NO_DB_SESSIONS”
Comments are closed.