[8.0] Self-signed certificates flood Windows Security event log

[ds185287]

I would like to re-open discussion about backporting the fix for #100774 into .NET 8, as we have been getting more reports about impact of the audit logs to site oprations.

@ds185287 for a 8.0 backport, we would need more details about impact on the production - ideally directly from the customer.

What about workarounds: Is it possible to filter out these (useless) events and ignore them? If not, why?

What does it mean that CIEM solution cannot cope? Is it running out of memory, CPU, or something like that? ... More details here would help us to make the call.

Originally posted by @karelz in #100774

@jp185163 should provide additional details about impact directly to the customer

Tagging @rzikm @karelz for attention.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[jp185163]

The impact on our customers is significant - PCI SSF certification requires them to monitor failed authentication attempts in the logs. Due to this issue the Windows Event logs are flooded with such events - millions of occurences from each of the several nodes on the retail site network. Such huge amount floods any processing tools and prevents any meaningful filtering - it fills up the disk space and slows down the production system.

[jp185163]

Customer will not write to this public forum. What I can share is that they do actively filter/ignore the events. There are 12.1 millions of these events filtered in the 24 hours period. While the events can be filtered out from alerting mechanism, there is still a regulatory requirement to store them for a year. It is a matter of unneccessary storage and budget required to store these incorrect events.
Solving the real cause in an LTSC version is the only viable way forward.

[karelz]

That sounds like pretty bad impact. I would have expected customers to upgrade to .NET 9 in such case (the cost/discomfort of staying on .NET 8 being too high for them).
How many customers are hurt this badly?

[jp185163]

The problem with .NET 9 is that it is not an LTSC release. On retail sites we use only the LTSC releases to minimize number (and size) of upgrades. Any upgrade has an impact on operation and is costly.
This affects all customers using the latest software versions (application and OS).

[karelz]

@jp185163 @ds185287 were you able to validate the fix on .NET 9 build in production to verify it really addresses the problem? (It will help us make the case for servicing)

[ds185287]

I compiled the affected application on .NET 9 and ran it in a lab environment where I was able to reproduce the issue previously and can confirm that it is indeed fixed.