Certificate or revocation list issuance fails with error code CERTSRV_E_NO_DB_SESSIONS

Assume the following scenario:

  • The Certification Authority cannot issue certificates and/or
  • The Certification Authority cannot issue revocation lists.
  • At least one of the following error messages is logged:

Event ID: 53 (Microsoft-Windows-CertificationAuthority)

Active Directory Certificate Services denied request 12345 because An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions. 0x8009400f (-2146877425 CERTSRV_E_NO_DB_SESSIONS). The request was for CN=Rudi Ratlos. Additional information: Denied by Policy Module

Event ID: 130 (Microsoft-Windows-CertificationAuthority)

Active Directory Certificate Services could not create a certificate revocation list. An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions 0x8009400f (-2146877425). This may cause applications that need to check the revocation status of certificates issued by this CA to fail. You can recreate the certificate revocation list manually by running the following command: "certutil -CRL". If the problem persists, restart Certificate Services.

Requesting clients may receive the following error message:

CCertRequest::Submit: Version store out of memory (cleanup already attempted) 0xc800042d (ESE:-1069 JET_errVersionStoreOutOfMemory)

Cause

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Both errors can occur if too many concurrent sessions are active on the certification authority database. Each transaction performed by the certification authority itself corresponds to a database session, as do calls with certutil.exe and other applications against the certification authority database.

The maximum number of concurrent accesses to the certification authority database can be configured via two registry values below the following key:

HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\
ValueDefault valueDescription
DBSessionCount0x64 (100) since Windows Server 2008Concept of the underlying JET database. Determines the JET_paramMaxSessions parameter which the CA service sets on the database. If no more sessions are available JetBeginSession fail with the error JET_errOutOfSessions.
DBMaxReadSessionCountNot set. Determined from DBSessionCount divided by 10.Certification authority concept. Determines the maximum number of simultaneous reading (ICertView interface) Database Sessions.

Both values should only be changed if there is a specific need. It makes more sense to determine and eliminate the cause of the many open database sessions.

Preferably, the DBSessionCount value should be adjusted. An increase to approx. 250 to 500 should enable the simultaneous processing of approx. 1,000 certificate requests per second.

Setting/changing DBMaxReadSessionCount is usually not useful, since it is automatically determined based on the value of DBSessionCount.

Changing the values becomes effective only after restarting the certification authority service.

Also, opening (or leaving open in an inactive session) the Certificate Authority Management Console increases the number of active (read) database sessions.

The number of active database sessions can also be determined by Disabling the "Windows Default" Exit Module (if it is not used) can be reduced.

Both values generate the same error code when exceeded, regardless of which one was actually exceeded.

Related links:

External sources

en_USEnglish