?
Solved

SChannel errors on the two DCs in the domain

Posted on 2016-09-03
7
Medium Priority
?
1,887 Views
Last Modified: 2016-09-10
There are continual event id 36888 in each DC's log as follows:  ""A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203."

In addition, dcdiag displays (In part)

     Starting test: SystemLog
         An error event occurred.  EventID: 0x00009018
            Time Generated: 09/03/2016   09:01:15
            Event String:
            A fatal alert was generated and sent to the remote endpoint. This ma
y result in termination of the connection. The TLS protocol defined fatal error
code is 10. The Windows SChannel error state is 1203.
         An error event occurred.  EventID: 0x00009018
            Time Generated: 09/03/2016   09:01:15
            Event String:
            A fatal alert was generated and sent to the remote endpoint. This ma
y result in termination of the connection. The TLS protocol defined fatal error
code is 10. The Windows SChannel error state is 1203.
         ......................... WWE-DC failed test SystemLog


Both DCs get them, but one side gets way more.  Each is 2012 R2 and has Essentials role installed.  VPN is full time between two sites at close to 100MBS.

My questions are a) what is the cause of this,  i.e., where can I find additional information to pinpoint the cause, and b) what do I do with it to fix the issue>
0
Comment
Question by:lmheimendinger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 17

Expert Comment

by:Learnctx
ID: 41783311
The cause is most likely an encrypted connection attempt when the DC's are not configured to accept LDAPS (LDAP over SSL) connections or the client is trying to use a cipher the DC does not accept. Do you offer LDAPS? If you do your DC's will be listening on the following ports for LDAP.

389 (LDAP)
636 (LDAPS)
3268 (LDAP GC)
3269 (LDAPS GC)

There is a list of Schannel error codes here. In your case you're receiving error 10, which would be SSLv3. Some applications will try an LDAPS bind first and then fall back to LDAP which can generate these errors if you're not offering up LDAPS. If you do not offer LDAPS you can ignore these errors.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 41783376
DCdiag will show error logs during systemlog test

by default domain controllers do listen on TCP 636 as well in addition to 389

I believe you are not using any secure LDAP bind or connection, for that you do need SSL cert on DC and also AD service need to be configured for that

If you are running any browser based application from DC, untick all TLS options from IE options\advanced page

If that's not the case, navigate to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel
 Value Name: EventLogging
  change this value from 1 to 0 - this value causes most of the errors are generating
0
 

Author Comment

by:lmheimendinger
ID: 41783820
Learnctx WIndows Firewall has all of those ports open...

Mahesh - There was no key on either server for SChannel under SecurityProviders.. should I create one?  Is EventLogging binary or a double word 32-bit?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 37

Expert Comment

by:Mahesh
ID: 41783886
You can create key as per screenshot attachedSChannel - reg dword-32

But this will just suppress errors, if you are not running any certificate based operation on DC, you can ignore it.

To find out root cause you need to capture inbound traffic to DC to identify source of encrypted traffic
0
 

Author Comment

by:lmheimendinger
ID: 41783944
I am not seeing any apps that do this, assumed it was DC->DC error....
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 41783972
DC to DC communication will not happen over 636 (LDAPS) unless you configured explicitly
0
 

Author Closing Comment

by:lmheimendinger
ID: 41793109
ended up ignoring
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question