Active Directory Certificate Service: Schannel Errors: Event ID-36888
We just installed Active Directory Certificate Services on one of our Domain Controllers (Win 2008R2). We also Network Policy Server (NPS) both of our DC’s. We use NPS for Radius authentication for our wireless clients. Our Aruba controllers hit up against the NPS servers for wireless client authentication.
On our Cert Authority DC there are (2) certs the main CA (domain-servername1.org) and a second (servername1.org). We attached the servername1.org to our NPS wireless policy. Our second DC was issued a cert by domain-servername1.org it is named servername2.org. This attached to the NPS policy on server2.
There does not seem to be any wireless client authentication issues. We can see clients in NPS logs on each server.
The Problem:
• We are getting 100’s of errors in the System log on servername1. Event ID = 36888, Source = Schannel , it says “The following fatal alert was generated: 20. The internal error state is 960”.
• This is only happening on the CA, servername1. The logs on servername2 have no Schannel errors.
I saw some articles referencing IIS issues, but they didn’t really seem relevant. Any help would be appreciated. I attached dcdiag and a copy of the error.
Print-Screen-of-event-error.docx
dcdiag.txt
On our Cert Authority DC there are (2) certs the main CA (domain-servername1.org) and a second (servername1.org). We attached the servername1.org to our NPS wireless policy. Our second DC was issued a cert by domain-servername1.org it is named servername2.org. This attached to the NPS policy on server2.
There does not seem to be any wireless client authentication issues. We can see clients in NPS logs on each server.
The Problem:
• We are getting 100’s of errors in the System log on servername1. Event ID = 36888, Source = Schannel , it says “The following fatal alert was generated: 20. The internal error state is 960”.
• This is only happening on the CA, servername1. The logs on servername2 have no Schannel errors.
I saw some articles referencing IIS issues, but they didn’t really seem relevant. Any help would be appreciated. I attached dcdiag and a copy of the error.
Print-Screen-of-event-error.docx
dcdiag.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I had the exact same error on my 2008 server a few weeks ago.
My notes are home
Had to make a registry change to stop the message from appearing.
Contacted Microsoft see this
http://support.microsoft.com/kb/260729
shows how to disable the logging.
My notes are home
Had to make a registry change to stop the message from appearing.
Contacted Microsoft see this
http://support.microsoft.com/kb/260729
shows how to disable the logging.
ASKER
I had to do an additional step. I had to add a cert to the SSL (HTTPS) binding in IIS. First I added the Top level cert to the SSL binding in IIS (...that was wrong). I had to remove the Top Level cert and add the secondary cert. Once I did that in IIS all the errors stopped.
ASKER