Solved

A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 46.  How do I begin troubleshooting this?

Posted on 2016-11-10
9
126 Views
Last Modified: 2016-11-15
I have little to no experience dealing with certificates.  The most I've done with them is "ordered" a few from the vendor.  Didn't actually do any of the install.  I get these SChannel 36887 errors 2-3 times per minute on an exchange 2013 server running server 2012.  Where do I begin?  There is a certificate utility i've opened and it shows our certificate for the server expiring in 2020.  What else can I do with this?
0
Comment
Question by:Daniel Checksum
9 Comments
 
LVL 9

Assisted Solution

by:Marshal Hubs
Marshal Hubs earned 125 total points
ID: 41883276
Please refer this discussion to fix the issue!!
0
 
LVL 1

Author Comment

by:Daniel Checksum
ID: 41883971
The link you provided recommends a security update, but does not have a patch for Server 2012.  Furthermore, it would be near impossible to touch each non-windows device that utilizes email.  Is there any way to narrow this down better?
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 125 total points
ID: 41887077
I think the alert should point to which certificate it is having a problem with.    Does it match the cert you think you should be using?

Does the host name on the cert match the host name that should be used when connecting to  this server?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 41887095
Do you have the error code for the error. E.g.  following is a list of SSL/TSL error messages and their code (matching the code recorded by this event):
TLS1_ALERT_CLOSE_NOTIFY (0)
TLS1_ALERT_UNEXPECTED_MESSAGE (10)
TLS1_ALERT_BAD_RECORD_MAC (20)
TLS1_ALERT_DECRYPTION_FAILED (21)
TLS1_ALERT_RECORD_OVERFLOW (22)
TLS1_ALERT_DECOMPRESSION_FAIL (30)
TLS1_ALERT_HANDSHAKE_FAILURE (40)
TLS1_ALERT_BAD_CERTIFICATE (42)
TLS1_ALERT_UNSUPPORTED_CERT (43)
TLS1_ALERT_CERTIFICATE_REVOKED (44)
TLS1_ALERT_CERTIFICATE_EXPIRED (45)
TLS1_ALERT_CERTIFICATE_UNKNOWN (46)
TLS1_ALERT_ILLEGAL_PARAMETER (47)
TLS1_ALERT_UNKNOWN_CA (48)
TLS1_ALERT_ACCESS_DENIED (49)
TLS1_ALERT_DECODE_ERROR (50)
TLS1_ALERT_DECRYPT_ERROR (51)
TLS1_ALERT_EXPORT_RESTRICTION (60)
TLS1_ALERT_PROTOCOL_VERSION (70)
TLS1_ALERT_INSUFFIENT_SECURITY (71)
TLS1_ALERT_INTERNAL_ERROR (80)
TLS1_ALERT_USER_CANCELED (90)
TLS1_ALERT_NO_RENEGOTIATION (100)
TLS1_ALERT_UNSUPPORTED_EXT (110)

The message may provide an additional clue as to what went wrong when this error was recorded. For example, Error code 10 (TLS1_ALERT_UNEXPECTED_MESSAGE) may indicate a lack of compatibility between the client app and the server.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:Daniel Checksum
ID: 41887890
To the 1st question:  The alert says "unknown certificate" so no, it doesn't know what it needs to point to.  When opening the certificate utility Exchange2013 has the proper hostname and expiration date.  I have a cert listed for:  WMSVC, Microsoft Exchange, Microsoft Exchange Server Auth Certificate, and WebMail.  


Error info:  (46)
- System
  - Provider
   [ Name]  Schannel
   [ Guid]  {1F678132-5938-4686-9FDC-C8FF68F15C85}
   EventID 36887
   Version 0
   Level 2
   Task 0
   Opcode 0
   Keywords 0x8000000000000000
  - TimeCreated
   [ SystemTime]  2016-11-15T14:00:10.979330100Z
   EventRecordID 282082
   Correlation
  - Execution
   [ ProcessID]  540
   [ ThreadID]  15816
   Channel System
   Computer Exchange2013.domain.com
  - Security
   [ UserID]  S-1-5-18
- EventData
  AlertDesc 46
0
 
LVL 1

Author Comment

by:Daniel Checksum
ID: 41887895
OK, i've narrowed it down to the Microsoft Exchange Server Auth Certificate.  When "testing" I get "The private key was successfully tested.  Revocation check for certificate chain failed."
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 41888018
if the certificate have intermediate CA bundle which is common for cert procured from 3rd party CA like GoDaddy, GeoTrust, Verisign etc, then it need to be install also in the exchange server besides the Root trust CA.

Besides, the above, when the server can't make a connection with a CA to check a certificate's revocation status, an error message is displayed: "The certificate status could not be determined because the revocation check failed". This error is misleading because it makes the problem sound as if the certificate has been revoked. In most cases, it is a connection problem not a certificate revocation issue.
The connection issue can be caused by the WinHTTP proxy settings or by the firewall settings preventing the Exchange server from connecting to the CRL or OCSP URLs to perform the revocation checks. To troubleshoot this error, you can use the DigiCert® Certificate Utility for Windows to verify whether your server can reach the CRL or OCSP URLs.
https://www.digicert.com/util/utility-test-ocsp-and-crl-access-from-a-server.htm
1
 
LVL 1

Author Closing Comment

by:Daniel Checksum
ID: 41888025
Thanks everyone, I now have a direction to move towards and most likely a solid resolution.  I simply needed to know which direction to go, thank you all.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
how to add IIS SMTP to handle application/Scanner relays into office 365.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now