A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 46. How do I begin troubleshooting this?

I have little to no experience dealing with certificates.  The most I've done with them is "ordered" a few from the vendor.  Didn't actually do any of the install.  I get these SChannel 36887 errors 2-3 times per minute on an exchange 2013 server running server 2012.  Where do I begin?  There is a certificate utility i've opened and it shows our certificate for the server expiring in 2020.  What else can I do with this?
LVL 1
Daniel ChecksumAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
btanConnect With a Mentor Exec ConsultantCommented:
if the certificate have intermediate CA bundle which is common for cert procured from 3rd party CA like GoDaddy, GeoTrust, Verisign etc, then it need to be install also in the exchange server besides the Root trust CA.

Besides, the above, when the server can't make a connection with a CA to check a certificate's revocation status, an error message is displayed: "The certificate status could not be determined because the revocation check failed". This error is misleading because it makes the problem sound as if the certificate has been revoked. In most cases, it is a connection problem not a certificate revocation issue.
The connection issue can be caused by the WinHTTP proxy settings or by the firewall settings preventing the Exchange server from connecting to the CRL or OCSP URLs to perform the revocation checks. To troubleshoot this error, you can use the DigiCert® Certificate Utility for Windows to verify whether your server can reach the CRL or OCSP URLs.
https://www.digicert.com/util/utility-test-ocsp-and-crl-access-from-a-server.htm
1
 
Marshal HubsConnect With a Mentor Email ConsultantCommented:
Please refer this discussion to fix the issue!!
0
 
Daniel ChecksumAuthor Commented:
The link you provided recommends a security update, but does not have a patch for Server 2012.  Furthermore, it would be near impossible to touch each non-windows device that utilizes email.  Is there any way to narrow this down better?
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
giltjrConnect With a Mentor Commented:
I think the alert should point to which certificate it is having a problem with.    Does it match the cert you think you should be using?

Does the host name on the cert match the host name that should be used when connecting to  this server?
0
 
btanConnect With a Mentor Exec ConsultantCommented:
Do you have the error code for the error. E.g.  following is a list of SSL/TSL error messages and their code (matching the code recorded by this event):
TLS1_ALERT_CLOSE_NOTIFY (0)
TLS1_ALERT_UNEXPECTED_MESSAGE (10)
TLS1_ALERT_BAD_RECORD_MAC (20)
TLS1_ALERT_DECRYPTION_FAILED (21)
TLS1_ALERT_RECORD_OVERFLOW (22)
TLS1_ALERT_DECOMPRESSION_FAIL (30)
TLS1_ALERT_HANDSHAKE_FAILURE (40)
TLS1_ALERT_BAD_CERTIFICATE (42)
TLS1_ALERT_UNSUPPORTED_CERT (43)
TLS1_ALERT_CERTIFICATE_REVOKED (44)
TLS1_ALERT_CERTIFICATE_EXPIRED (45)
TLS1_ALERT_CERTIFICATE_UNKNOWN (46)
TLS1_ALERT_ILLEGAL_PARAMETER (47)
TLS1_ALERT_UNKNOWN_CA (48)
TLS1_ALERT_ACCESS_DENIED (49)
TLS1_ALERT_DECODE_ERROR (50)
TLS1_ALERT_DECRYPT_ERROR (51)
TLS1_ALERT_EXPORT_RESTRICTION (60)
TLS1_ALERT_PROTOCOL_VERSION (70)
TLS1_ALERT_INSUFFIENT_SECURITY (71)
TLS1_ALERT_INTERNAL_ERROR (80)
TLS1_ALERT_USER_CANCELED (90)
TLS1_ALERT_NO_RENEGOTIATION (100)
TLS1_ALERT_UNSUPPORTED_EXT (110)

The message may provide an additional clue as to what went wrong when this error was recorded. For example, Error code 10 (TLS1_ALERT_UNEXPECTED_MESSAGE) may indicate a lack of compatibility between the client app and the server.
0
 
Daniel ChecksumAuthor Commented:
To the 1st question:  The alert says "unknown certificate" so no, it doesn't know what it needs to point to.  When opening the certificate utility Exchange2013 has the proper hostname and expiration date.  I have a cert listed for:  WMSVC, Microsoft Exchange, Microsoft Exchange Server Auth Certificate, and WebMail.  


Error info:  (46)
- System
  - Provider
   [ Name]  Schannel
   [ Guid]  {1F678132-5938-4686-9FDC-C8FF68F15C85}
   EventID 36887
   Version 0
   Level 2
   Task 0
   Opcode 0
   Keywords 0x8000000000000000
  - TimeCreated
   [ SystemTime]  2016-11-15T14:00:10.979330100Z
   EventRecordID 282082
   Correlation
  - Execution
   [ ProcessID]  540
   [ ThreadID]  15816
   Channel System
   Computer Exchange2013.domain.com
  - Security
   [ UserID]  S-1-5-18
- EventData
  AlertDesc 46
0
 
Daniel ChecksumAuthor Commented:
OK, i've narrowed it down to the Microsoft Exchange Server Auth Certificate.  When "testing" I get "The private key was successfully tested.  Revocation check for certificate chain failed."
0
 
Daniel ChecksumAuthor Commented:
Thanks everyone, I now have a direction to move towards and most likely a solid resolution.  I simply needed to know which direction to go, thank you all.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.