Solved

SChannel errors on the two DCs in the domain

Posted on 2016-09-03
7
904 Views
Last Modified: 2016-09-10
There are continual event id 36888 in each DC's log as follows:  ""A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203."

In addition, dcdiag displays (In part)

     Starting test: SystemLog
         An error event occurred.  EventID: 0x00009018
            Time Generated: 09/03/2016   09:01:15
            Event String:
            A fatal alert was generated and sent to the remote endpoint. This ma
y result in termination of the connection. The TLS protocol defined fatal error
code is 10. The Windows SChannel error state is 1203.
         An error event occurred.  EventID: 0x00009018
            Time Generated: 09/03/2016   09:01:15
            Event String:
            A fatal alert was generated and sent to the remote endpoint. This ma
y result in termination of the connection. The TLS protocol defined fatal error
code is 10. The Windows SChannel error state is 1203.
         ......................... WWE-DC failed test SystemLog


Both DCs get them, but one side gets way more.  Each is 2012 R2 and has Essentials role installed.  VPN is full time between two sites at close to 100MBS.

My questions are a) what is the cause of this,  i.e., where can I find additional information to pinpoint the cause, and b) what do I do with it to fix the issue>
0
Comment
Question by:lmheimendinger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 17

Expert Comment

by:Learnctx
ID: 41783311
The cause is most likely an encrypted connection attempt when the DC's are not configured to accept LDAPS (LDAP over SSL) connections or the client is trying to use a cipher the DC does not accept. Do you offer LDAPS? If you do your DC's will be listening on the following ports for LDAP.

389 (LDAP)
636 (LDAPS)
3268 (LDAP GC)
3269 (LDAPS GC)

There is a list of Schannel error codes here. In your case you're receiving error 10, which would be SSLv3. Some applications will try an LDAPS bind first and then fall back to LDAP which can generate these errors if you're not offering up LDAPS. If you do not offer LDAPS you can ignore these errors.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 41783376
DCdiag will show error logs during systemlog test

by default domain controllers do listen on TCP 636 as well in addition to 389

I believe you are not using any secure LDAP bind or connection, for that you do need SSL cert on DC and also AD service need to be configured for that

If you are running any browser based application from DC, untick all TLS options from IE options\advanced page

If that's not the case, navigate to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel
 Value Name: EventLogging
  change this value from 1 to 0 - this value causes most of the errors are generating
0
 

Author Comment

by:lmheimendinger
ID: 41783820
Learnctx WIndows Firewall has all of those ports open...

Mahesh - There was no key on either server for SChannel under SecurityProviders.. should I create one?  Is EventLogging binary or a double word 32-bit?
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 37

Expert Comment

by:Mahesh
ID: 41783886
You can create key as per screenshot attachedSChannel - reg dword-32

But this will just suppress errors, if you are not running any certificate based operation on DC, you can ignore it.

To find out root cause you need to capture inbound traffic to DC to identify source of encrypted traffic
0
 

Author Comment

by:lmheimendinger
ID: 41783944
I am not seeing any apps that do this, assumed it was DC->DC error....
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 41783972
DC to DC communication will not happen over 636 (LDAPS) unless you configured explicitly
0
 

Author Closing Comment

by:lmheimendinger
ID: 41793109
ended up ignoring
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question