Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SChannel errors on the two DCs in the domain

Posted on 2016-09-03
7
Medium Priority
?
2,590 Views
Last Modified: 2016-09-10
There are continual event id 36888 in each DC's log as follows:  ""A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203."

In addition, dcdiag displays (In part)

     Starting test: SystemLog
         An error event occurred.  EventID: 0x00009018
            Time Generated: 09/03/2016   09:01:15
            Event String:
            A fatal alert was generated and sent to the remote endpoint. This ma
y result in termination of the connection. The TLS protocol defined fatal error
code is 10. The Windows SChannel error state is 1203.
         An error event occurred.  EventID: 0x00009018
            Time Generated: 09/03/2016   09:01:15
            Event String:
            A fatal alert was generated and sent to the remote endpoint. This ma
y result in termination of the connection. The TLS protocol defined fatal error
code is 10. The Windows SChannel error state is 1203.
         ......................... WWE-DC failed test SystemLog


Both DCs get them, but one side gets way more.  Each is 2012 R2 and has Essentials role installed.  VPN is full time between two sites at close to 100MBS.

My questions are a) what is the cause of this,  i.e., where can I find additional information to pinpoint the cause, and b) what do I do with it to fix the issue>
0
Comment
Question by:lmheimendinger
  • 3
  • 3
7 Comments
 
LVL 18

Expert Comment

by:Learnctx
ID: 41783311
The cause is most likely an encrypted connection attempt when the DC's are not configured to accept LDAPS (LDAP over SSL) connections or the client is trying to use a cipher the DC does not accept. Do you offer LDAPS? If you do your DC's will be listening on the following ports for LDAP.

389 (LDAP)
636 (LDAPS)
3268 (LDAP GC)
3269 (LDAPS GC)

There is a list of Schannel error codes here. In your case you're receiving error 10, which would be SSLv3. Some applications will try an LDAPS bind first and then fall back to LDAP which can generate these errors if you're not offering up LDAPS. If you do not offer LDAPS you can ignore these errors.
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 41783376
DCdiag will show error logs during systemlog test

by default domain controllers do listen on TCP 636 as well in addition to 389

I believe you are not using any secure LDAP bind or connection, for that you do need SSL cert on DC and also AD service need to be configured for that

If you are running any browser based application from DC, untick all TLS options from IE options\advanced page

If that's not the case, navigate to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel
 Value Name: EventLogging
  change this value from 1 to 0 - this value causes most of the errors are generating
0
 

Author Comment

by:lmheimendinger
ID: 41783820
Learnctx WIndows Firewall has all of those ports open...

Mahesh - There was no key on either server for SChannel under SecurityProviders.. should I create one?  Is EventLogging binary or a double word 32-bit?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 38

Expert Comment

by:Mahesh
ID: 41783886
You can create key as per screenshot attachedSChannel - reg dword-32

But this will just suppress errors, if you are not running any certificate based operation on DC, you can ignore it.

To find out root cause you need to capture inbound traffic to DC to identify source of encrypted traffic
0
 

Author Comment

by:lmheimendinger
ID: 41783944
I am not seeing any apps that do this, assumed it was DC->DC error....
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 41783972
DC to DC communication will not happen over 636 (LDAPS) unless you configured explicitly
0
 

Author Closing Comment

by:lmheimendinger
ID: 41793109
ended up ignoring
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question