Solved

SChannel errors on the two DCs in the domain

Posted on 2016-09-03
7
89 Views
Last Modified: 2016-09-10
There are continual event id 36888 in each DC's log as follows:  ""A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203."

In addition, dcdiag displays (In part)

     Starting test: SystemLog
         An error event occurred.  EventID: 0x00009018
            Time Generated: 09/03/2016   09:01:15
            Event String:
            A fatal alert was generated and sent to the remote endpoint. This ma
y result in termination of the connection. The TLS protocol defined fatal error
code is 10. The Windows SChannel error state is 1203.
         An error event occurred.  EventID: 0x00009018
            Time Generated: 09/03/2016   09:01:15
            Event String:
            A fatal alert was generated and sent to the remote endpoint. This ma
y result in termination of the connection. The TLS protocol defined fatal error
code is 10. The Windows SChannel error state is 1203.
         ......................... WWE-DC failed test SystemLog


Both DCs get them, but one side gets way more.  Each is 2012 R2 and has Essentials role installed.  VPN is full time between two sites at close to 100MBS.

My questions are a) what is the cause of this,  i.e., where can I find additional information to pinpoint the cause, and b) what do I do with it to fix the issue>
0
Comment
Question by:lmheimendinger
  • 3
  • 3
7 Comments
 
LVL 16

Expert Comment

by:Learnctx
Comment Utility
The cause is most likely an encrypted connection attempt when the DC's are not configured to accept LDAPS (LDAP over SSL) connections or the client is trying to use a cipher the DC does not accept. Do you offer LDAPS? If you do your DC's will be listening on the following ports for LDAP.

389 (LDAP)
636 (LDAPS)
3268 (LDAP GC)
3269 (LDAPS GC)

There is a list of Schannel error codes here. In your case you're receiving error 10, which would be SSLv3. Some applications will try an LDAPS bind first and then fall back to LDAP which can generate these errors if you're not offering up LDAPS. If you do not offer LDAPS you can ignore these errors.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
DCdiag will show error logs during systemlog test

by default domain controllers do listen on TCP 636 as well in addition to 389

I believe you are not using any secure LDAP bind or connection, for that you do need SSL cert on DC and also AD service need to be configured for that

If you are running any browser based application from DC, untick all TLS options from IE options\advanced page

If that's not the case, navigate to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel
 Value Name: EventLogging
  change this value from 1 to 0 - this value causes most of the errors are generating
0
 

Author Comment

by:lmheimendinger
Comment Utility
Learnctx WIndows Firewall has all of those ports open...

Mahesh - There was no key on either server for SChannel under SecurityProviders.. should I create one?  Is EventLogging binary or a double word 32-bit?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
You can create key as per screenshot attachedSChannel - reg dword-32

But this will just suppress errors, if you are not running any certificate based operation on DC, you can ignore it.

To find out root cause you need to capture inbound traffic to DC to identify source of encrypted traffic
0
 

Author Comment

by:lmheimendinger
Comment Utility
I am not seeing any apps that do this, assumed it was DC->DC error....
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
DC to DC communication will not happen over 636 (LDAPS) unless you configured explicitly
0
 

Author Closing Comment

by:lmheimendinger
Comment Utility
ended up ignoring
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now