Solved

SChannel errors on the two DCs in the domain

Posted on 2016-09-03
7
389 Views
Last Modified: 2016-09-10
There are continual event id 36888 in each DC's log as follows:  ""A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203."

In addition, dcdiag displays (In part)

     Starting test: SystemLog
         An error event occurred.  EventID: 0x00009018
            Time Generated: 09/03/2016   09:01:15
            Event String:
            A fatal alert was generated and sent to the remote endpoint. This ma
y result in termination of the connection. The TLS protocol defined fatal error
code is 10. The Windows SChannel error state is 1203.
         An error event occurred.  EventID: 0x00009018
            Time Generated: 09/03/2016   09:01:15
            Event String:
            A fatal alert was generated and sent to the remote endpoint. This ma
y result in termination of the connection. The TLS protocol defined fatal error
code is 10. The Windows SChannel error state is 1203.
         ......................... WWE-DC failed test SystemLog


Both DCs get them, but one side gets way more.  Each is 2012 R2 and has Essentials role installed.  VPN is full time between two sites at close to 100MBS.

My questions are a) what is the cause of this,  i.e., where can I find additional information to pinpoint the cause, and b) what do I do with it to fix the issue>
0
Comment
Question by:lmheimendinger
  • 3
  • 3
7 Comments
 
LVL 17

Expert Comment

by:Learnctx
ID: 41783311
The cause is most likely an encrypted connection attempt when the DC's are not configured to accept LDAPS (LDAP over SSL) connections or the client is trying to use a cipher the DC does not accept. Do you offer LDAPS? If you do your DC's will be listening on the following ports for LDAP.

389 (LDAP)
636 (LDAPS)
3268 (LDAP GC)
3269 (LDAPS GC)

There is a list of Schannel error codes here. In your case you're receiving error 10, which would be SSLv3. Some applications will try an LDAPS bind first and then fall back to LDAP which can generate these errors if you're not offering up LDAPS. If you do not offer LDAPS you can ignore these errors.
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 41783376
DCdiag will show error logs during systemlog test

by default domain controllers do listen on TCP 636 as well in addition to 389

I believe you are not using any secure LDAP bind or connection, for that you do need SSL cert on DC and also AD service need to be configured for that

If you are running any browser based application from DC, untick all TLS options from IE options\advanced page

If that's not the case, navigate to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel
 Value Name: EventLogging
  change this value from 1 to 0 - this value causes most of the errors are generating
0
 

Author Comment

by:lmheimendinger
ID: 41783820
Learnctx WIndows Firewall has all of those ports open...

Mahesh - There was no key on either server for SChannel under SecurityProviders.. should I create one?  Is EventLogging binary or a double word 32-bit?
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 36

Expert Comment

by:Mahesh
ID: 41783886
You can create key as per screenshot attachedSChannel - reg dword-32

But this will just suppress errors, if you are not running any certificate based operation on DC, you can ignore it.

To find out root cause you need to capture inbound traffic to DC to identify source of encrypted traffic
0
 

Author Comment

by:lmheimendinger
ID: 41783944
I am not seeing any apps that do this, assumed it was DC->DC error....
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 41783972
DC to DC communication will not happen over 636 (LDAPS) unless you configured explicitly
0
 

Author Closing Comment

by:lmheimendinger
ID: 41793109
ended up ignoring
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Synchronize a new Active Directory domain with an existing Office 365 tenant
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question