Larry Heimendinger
asked on
SChannel errors on the two DCs in the domain
There are continual event id 36888 in each DC's log as follows: ""A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203."
In addition, dcdiag displays (In part)
Starting test: SystemLog
An error event occurred. EventID: 0x00009018
Time Generated: 09/03/2016 09:01:15
Event String:
A fatal alert was generated and sent to the remote endpoint. This ma
y result in termination of the connection. The TLS protocol defined fatal error
code is 10. The Windows SChannel error state is 1203.
An error event occurred. EventID: 0x00009018
Time Generated: 09/03/2016 09:01:15
Event String:
A fatal alert was generated and sent to the remote endpoint. This ma
y result in termination of the connection. The TLS protocol defined fatal error
code is 10. The Windows SChannel error state is 1203.
......................... WWE-DC failed test SystemLog
Both DCs get them, but one side gets way more. Each is 2012 R2 and has Essentials role installed. VPN is full time between two sites at close to 100MBS.
My questions are a) what is the cause of this, i.e., where can I find additional information to pinpoint the cause, and b) what do I do with it to fix the issue>
In addition, dcdiag displays (In part)
Starting test: SystemLog
An error event occurred. EventID: 0x00009018
Time Generated: 09/03/2016 09:01:15
Event String:
A fatal alert was generated and sent to the remote endpoint. This ma
y result in termination of the connection. The TLS protocol defined fatal error
code is 10. The Windows SChannel error state is 1203.
An error event occurred. EventID: 0x00009018
Time Generated: 09/03/2016 09:01:15
Event String:
A fatal alert was generated and sent to the remote endpoint. This ma
y result in termination of the connection. The TLS protocol defined fatal error
code is 10. The Windows SChannel error state is 1203.
......................... WWE-DC failed test SystemLog
Both DCs get them, but one side gets way more. Each is 2012 R2 and has Essentials role installed. VPN is full time between two sites at close to 100MBS.
My questions are a) what is the cause of this, i.e., where can I find additional information to pinpoint the cause, and b) what do I do with it to fix the issue>
DCdiag will show error logs during systemlog test
by default domain controllers do listen on TCP 636 as well in addition to 389
I believe you are not using any secure LDAP bind or connection, for that you do need SSL cert on DC and also AD service need to be configured for that
If you are running any browser based application from DC, untick all TLS options from IE options\advanced page
If that's not the case, navigate to HKLM\SYSTEM\CurrentControl
Value Name: EventLogging
change this value from 1 to 0 - this value causes most of the errors are generating
by default domain controllers do listen on TCP 636 as well in addition to 389
I believe you are not using any secure LDAP bind or connection, for that you do need SSL cert on DC and also AD service need to be configured for that
If you are running any browser based application from DC, untick all TLS options from IE options\advanced page
If that's not the case, navigate to HKLM\SYSTEM\CurrentControl
Value Name: EventLogging
change this value from 1 to 0 - this value causes most of the errors are generating
ASKER
Learnctx WIndows Firewall has all of those ports open...
Mahesh - There was no key on either server for SChannel under SecurityProviders.. should I create one? Is EventLogging binary or a double word 32-bit?
Mahesh - There was no key on either server for SChannel under SecurityProviders.. should I create one? Is EventLogging binary or a double word 32-bit?
You can create key as per screenshot attached
- reg dword-32
But this will just suppress errors, if you are not running any certificate based operation on DC, you can ignore it.
To find out root cause you need to capture inbound traffic to DC to identify source of encrypted traffic
- reg dword-32But this will just suppress errors, if you are not running any certificate based operation on DC, you can ignore it.
To find out root cause you need to capture inbound traffic to DC to identify source of encrypted traffic
ASKER
I am not seeing any apps that do this, assumed it was DC->DC error....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ended up ignoring
389 (LDAP)
636 (LDAPS)
3268 (LDAP GC)
3269 (LDAPS GC)
There is a list of Schannel error codes here. In your case you're receiving error 10, which would be SSLv3. Some applications will try an LDAPS bind first and then fall back to LDAP which can generate these errors if you're not offering up LDAPS. If you do not offer LDAPS you can ignore these errors.