Solved

A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 46.  How do I begin troubleshooting this?

Posted on 2016-11-10
9
410 Views
Last Modified: 2016-11-15
I have little to no experience dealing with certificates.  The most I've done with them is "ordered" a few from the vendor.  Didn't actually do any of the install.  I get these SChannel 36887 errors 2-3 times per minute on an exchange 2013 server running server 2012.  Where do I begin?  There is a certificate utility i've opened and it shows our certificate for the server expiring in 2020.  What else can I do with this?
0
Comment
Question by:Daniel Checksum
9 Comments
 
LVL 9

Assisted Solution

by:Marshal Hubs
Marshal Hubs earned 125 total points
ID: 41883276
Please refer this discussion to fix the issue!!
0
 
LVL 1

Author Comment

by:Daniel Checksum
ID: 41883971
The link you provided recommends a security update, but does not have a patch for Server 2012.  Furthermore, it would be near impossible to touch each non-windows device that utilizes email.  Is there any way to narrow this down better?
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 125 total points
ID: 41887077
I think the alert should point to which certificate it is having a problem with.    Does it match the cert you think you should be using?

Does the host name on the cert match the host name that should be used when connecting to  this server?
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 41887095
Do you have the error code for the error. E.g.  following is a list of SSL/TSL error messages and their code (matching the code recorded by this event):
TLS1_ALERT_CLOSE_NOTIFY (0)
TLS1_ALERT_UNEXPECTED_MESSAGE (10)
TLS1_ALERT_BAD_RECORD_MAC (20)
TLS1_ALERT_DECRYPTION_FAILED (21)
TLS1_ALERT_RECORD_OVERFLOW (22)
TLS1_ALERT_DECOMPRESSION_FAIL (30)
TLS1_ALERT_HANDSHAKE_FAILURE (40)
TLS1_ALERT_BAD_CERTIFICATE (42)
TLS1_ALERT_UNSUPPORTED_CERT (43)
TLS1_ALERT_CERTIFICATE_REVOKED (44)
TLS1_ALERT_CERTIFICATE_EXPIRED (45)
TLS1_ALERT_CERTIFICATE_UNKNOWN (46)
TLS1_ALERT_ILLEGAL_PARAMETER (47)
TLS1_ALERT_UNKNOWN_CA (48)
TLS1_ALERT_ACCESS_DENIED (49)
TLS1_ALERT_DECODE_ERROR (50)
TLS1_ALERT_DECRYPT_ERROR (51)
TLS1_ALERT_EXPORT_RESTRICTION (60)
TLS1_ALERT_PROTOCOL_VERSION (70)
TLS1_ALERT_INSUFFIENT_SECURITY (71)
TLS1_ALERT_INTERNAL_ERROR (80)
TLS1_ALERT_USER_CANCELED (90)
TLS1_ALERT_NO_RENEGOTIATION (100)
TLS1_ALERT_UNSUPPORTED_EXT (110)

The message may provide an additional clue as to what went wrong when this error was recorded. For example, Error code 10 (TLS1_ALERT_UNEXPECTED_MESSAGE) may indicate a lack of compatibility between the client app and the server.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 1

Author Comment

by:Daniel Checksum
ID: 41887890
To the 1st question:  The alert says "unknown certificate" so no, it doesn't know what it needs to point to.  When opening the certificate utility Exchange2013 has the proper hostname and expiration date.  I have a cert listed for:  WMSVC, Microsoft Exchange, Microsoft Exchange Server Auth Certificate, and WebMail.  


Error info:  (46)
- System
  - Provider
   [ Name]  Schannel
   [ Guid]  {1F678132-5938-4686-9FDC-C8FF68F15C85}
   EventID 36887
   Version 0
   Level 2
   Task 0
   Opcode 0
   Keywords 0x8000000000000000
  - TimeCreated
   [ SystemTime]  2016-11-15T14:00:10.979330100Z
   EventRecordID 282082
   Correlation
  - Execution
   [ ProcessID]  540
   [ ThreadID]  15816
   Channel System
   Computer Exchange2013.domain.com
  - Security
   [ UserID]  S-1-5-18
- EventData
  AlertDesc 46
0
 
LVL 1

Author Comment

by:Daniel Checksum
ID: 41887895
OK, i've narrowed it down to the Microsoft Exchange Server Auth Certificate.  When "testing" I get "The private key was successfully tested.  Revocation check for certificate chain failed."
0
 
LVL 62

Accepted Solution

by:
btan earned 250 total points
ID: 41888018
if the certificate have intermediate CA bundle which is common for cert procured from 3rd party CA like GoDaddy, GeoTrust, Verisign etc, then it need to be install also in the exchange server besides the Root trust CA.

Besides, the above, when the server can't make a connection with a CA to check a certificate's revocation status, an error message is displayed: "The certificate status could not be determined because the revocation check failed". This error is misleading because it makes the problem sound as if the certificate has been revoked. In most cases, it is a connection problem not a certificate revocation issue.
The connection issue can be caused by the WinHTTP proxy settings or by the firewall settings preventing the Exchange server from connecting to the CRL or OCSP URLs to perform the revocation checks. To troubleshoot this error, you can use the DigiCert® Certificate Utility for Windows to verify whether your server can reach the CRL or OCSP URLs.
https://www.digicert.com/util/utility-test-ocsp-and-crl-access-from-a-server.htm
1
 
LVL 1

Author Closing Comment

by:Daniel Checksum
ID: 41888025
Thanks everyone, I now have a direction to move towards and most likely a solid resolution.  I simply needed to know which direction to go, thank you all.
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Three simple tips to quickly and efficiently back up and protect the contents of your PC and Mac®.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now