Windows 2012 Event 36887
Windows 2012 R@ Standard
Today started getting Eventid 36887 A fatal alert the TLS protocol defined fatal alert code is 20
Can not find any thing in my searches to resolve this
Any ideas?
Today started getting Eventid 36887 A fatal alert the TLS protocol defined fatal alert code is 20
Can not find any thing in my searches to resolve this
Any ideas?
ASKER
Leon
"The only solution I can suggest if this is the case is to reduce the client TLS version to match the server capabilities."
How do i do that this is new to me.
Or should I turn this off
https://support.microsoft.com/en-us/kb/260729
"The only solution I can suggest if this is the case is to reduce the client TLS version to match the server capabilities."
How do i do that this is new to me.
Or should I turn this off
https://support.microsoft.com/en-us/kb/260729
Depends what you are running on the server.
if it's IIS (you should be on 8.5), TLS1.0-1.2 support is enabled out of the box.
If it's RDP, you need to update the client RDP client.
If it's something else, like SMTP calls, FTP, SQL Server et cetera, you'll need to have a look at the TLS configurations available within the application.
Cheers
Leon
if it's IIS (you should be on 8.5), TLS1.0-1.2 support is enabled out of the box.
If it's RDP, you need to update the client RDP client.
If it's something else, like SMTP calls, FTP, SQL Server et cetera, you'll need to have a look at the TLS configurations available within the application.
Cheers
Leon
ASKER
Leon
Yes IIS 8.5 will be web server
No sql that runs on my windows 200& server
No rdp used I use vnc to control remotely
Maybe rdp is installed will check
On the road now
Cheers
Tom
Yes IIS 8.5 will be web server
No sql that runs on my windows 200& server
No rdp used I use vnc to control remotely
Maybe rdp is installed will check
On the road now
Cheers
Tom
ASKER
Ok
No rdp installed
Now getting same error with a 47 that's the second type
I turned of logging see if that stops the message
Thoughts
No rdp installed
Now getting same error with a 47 that's the second type
I turned of logging see if that stops the message
Thoughts
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Leon
Only IE installed I limit the third party programs on my Servers to a minimum.
Will look at the trusted certs what do you mean by can be too many entries?
What is the limits?
Only IE installed I limit the third party programs on my Servers to a minimum.
Will look at the trusted certs what do you mean by can be too many entries?
What is the limits?
Hi Tom,
I am not 100% certain what the maximum is.
Due to changes in Server 2012, you will find a mixture of CAs in the trusted certificate store.
The Windows error log will contain this:
When asking for client authentication, this server sends a list of trusted certificate authorities to the client.
The client uses this list to choose a client certificate that is trusted by the server.
Occasionally, the server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated.
The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.
hth
Leon
I am not 100% certain what the maximum is.
Due to changes in Server 2012, you will find a mixture of CAs in the trusted certificate store.
The Windows error log will contain this:
When asking for client authentication, this server sends a list of trusted certificate authorities to the client.
The client uses this list to choose a client certificate that is trusted by the server.
Occasionally, the server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated.
The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.
hth
Leon
ASKER
Leon
will check this out over the weekend when on site again.
Thanks
Will post results
will check this out over the weekend when on site again.
Thanks
Will post results
ASKER
Leon
After turning off the logging have not seen this error.
Thanks
After turning off the logging have not seen this error.
Thanks
It's possible that the client does not support the TLS version of the Server.
When the client attempts to negotiate a TLS 1.2 connection but the server supports only TLS 1.0 or 1.1, it will not send client certificates to the server.
The only solution I can suggest if this is the case is to reduce the client TLS version to match the server capabilities.
http://blogs.msdn.com/b/kaushal/archive/2012/10/06/ssl-tls-alert-protocol-amp-the-alert-codes.aspx