Solved

A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 46.  How do I begin troubleshooting this?

Posted on 2016-11-10
9
2,454 Views
Last Modified: 2016-11-15
I have little to no experience dealing with certificates.  The most I've done with them is "ordered" a few from the vendor.  Didn't actually do any of the install.  I get these SChannel 36887 errors 2-3 times per minute on an exchange 2013 server running server 2012.  Where do I begin?  There is a certificate utility i've opened and it shows our certificate for the server expiring in 2020.  What else can I do with this?
0
Comment
Question by:Daniel Checksum
9 Comments
 
LVL 9

Assisted Solution

by:Marshal Hubs
Marshal Hubs earned 125 total points
ID: 41883276
Please refer this discussion to fix the issue!!
0
 
LVL 1

Author Comment

by:Daniel Checksum
ID: 41883971
The link you provided recommends a security update, but does not have a patch for Server 2012.  Furthermore, it would be near impossible to touch each non-windows device that utilizes email.  Is there any way to narrow this down better?
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 125 total points
ID: 41887077
I think the alert should point to which certificate it is having a problem with.    Does it match the cert you think you should be using?

Does the host name on the cert match the host name that should be used when connecting to  this server?
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points
ID: 41887095
Do you have the error code for the error. E.g.  following is a list of SSL/TSL error messages and their code (matching the code recorded by this event):
TLS1_ALERT_CLOSE_NOTIFY (0)
TLS1_ALERT_UNEXPECTED_MESSAGE (10)
TLS1_ALERT_BAD_RECORD_MAC (20)
TLS1_ALERT_DECRYPTION_FAILED (21)
TLS1_ALERT_RECORD_OVERFLOW (22)
TLS1_ALERT_DECOMPRESSION_FAIL (30)
TLS1_ALERT_HANDSHAKE_FAILURE (40)
TLS1_ALERT_BAD_CERTIFICATE (42)
TLS1_ALERT_UNSUPPORTED_CERT (43)
TLS1_ALERT_CERTIFICATE_REVOKED (44)
TLS1_ALERT_CERTIFICATE_EXPIRED (45)
TLS1_ALERT_CERTIFICATE_UNKNOWN (46)
TLS1_ALERT_ILLEGAL_PARAMETER (47)
TLS1_ALERT_UNKNOWN_CA (48)
TLS1_ALERT_ACCESS_DENIED (49)
TLS1_ALERT_DECODE_ERROR (50)
TLS1_ALERT_DECRYPT_ERROR (51)
TLS1_ALERT_EXPORT_RESTRICTION (60)
TLS1_ALERT_PROTOCOL_VERSION (70)
TLS1_ALERT_INSUFFIENT_SECURITY (71)
TLS1_ALERT_INTERNAL_ERROR (80)
TLS1_ALERT_USER_CANCELED (90)
TLS1_ALERT_NO_RENEGOTIATION (100)
TLS1_ALERT_UNSUPPORTED_EXT (110)

The message may provide an additional clue as to what went wrong when this error was recorded. For example, Error code 10 (TLS1_ALERT_UNEXPECTED_MESSAGE) may indicate a lack of compatibility between the client app and the server.
0
 
LVL 1

Author Comment

by:Daniel Checksum
ID: 41887890
To the 1st question:  The alert says "unknown certificate" so no, it doesn't know what it needs to point to.  When opening the certificate utility Exchange2013 has the proper hostname and expiration date.  I have a cert listed for:  WMSVC, Microsoft Exchange, Microsoft Exchange Server Auth Certificate, and WebMail.  


Error info:  (46)
- System
  - Provider
   [ Name]  Schannel
   [ Guid]  {1F678132-5938-4686-9FDC-C8FF68F15C85}
   EventID 36887
   Version 0
   Level 2
   Task 0
   Opcode 0
   Keywords 0x8000000000000000
  - TimeCreated
   [ SystemTime]  2016-11-15T14:00:10.979330100Z
   EventRecordID 282082
   Correlation
  - Execution
   [ ProcessID]  540
   [ ThreadID]  15816
   Channel System
   Computer Exchange2013.domain.com
  - Security
   [ UserID]  S-1-5-18
- EventData
  AlertDesc 46
0
 
LVL 1

Author Comment

by:Daniel Checksum
ID: 41887895
OK, i've narrowed it down to the Microsoft Exchange Server Auth Certificate.  When "testing" I get "The private key was successfully tested.  Revocation check for certificate chain failed."
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 41888018
if the certificate have intermediate CA bundle which is common for cert procured from 3rd party CA like GoDaddy, GeoTrust, Verisign etc, then it need to be install also in the exchange server besides the Root trust CA.

Besides, the above, when the server can't make a connection with a CA to check a certificate's revocation status, an error message is displayed: "The certificate status could not be determined because the revocation check failed". This error is misleading because it makes the problem sound as if the certificate has been revoked. In most cases, it is a connection problem not a certificate revocation issue.
The connection issue can be caused by the WinHTTP proxy settings or by the firewall settings preventing the Exchange server from connecting to the CRL or OCSP URLs to perform the revocation checks. To troubleshoot this error, you can use the DigiCert® Certificate Utility for Windows to verify whether your server can reach the CRL or OCSP URLs.
https://www.digicert.com/util/utility-test-ocsp-and-crl-access-from-a-server.htm
1
 
LVL 1

Author Closing Comment

by:Daniel Checksum
ID: 41888025
Thanks everyone, I now have a direction to move towards and most likely a solid resolution.  I simply needed to know which direction to go, thank you all.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question