akyuen
asked on
Schannel error 70 on Exchange CAS and Mailbox servers
I noticed that my Exchange CAS and mailbox servers (running Exchange 2010 on Windows server 2008 R2) are filled with Schannel Event ID: 36887 errors (The following fatal alert was received: 70). I've read that these might be the cause of SSL errors; however, I've installed and run WireShark but don't see any SSL related errors. In the event log, the errors occur consistently at equal intervals every minute. Any ideas on what could be the cause of these errors? Here's a sample of one of the errors:
- System
- Provider
[ Name] Schannel
[ Guid] {xxxxxxx-xxxx-xxxx-xxxx-xx xxxxxxxxxx x}
EventID 36887
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x8000000000000000
- TimeCreated
[ SystemTime] 2017-03-15T04:08:34.094792 700Z
EventRecordID 307600
Correlation
- Execution
[ ProcessID] 736
[ ThreadID] 788
Channel System
Computer EX2010-Mbox.domain.com
- Security
[ UserID] S-1-5-18
- EventData
AlertDesc 70
- System
- Provider
[ Name] Schannel
[ Guid] {xxxxxxx-xxxx-xxxx-xxxx-xx
EventID 36887
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x8000000000000000
- TimeCreated
[ SystemTime] 2017-03-15T04:08:34.094792
EventRecordID 307600
Correlation
- Execution
[ ProcessID] 736
[ ThreadID] 788
Channel System
Computer EX2010-Mbox.domain.com
- Security
[ UserID] S-1-5-18
- EventData
AlertDesc 70
it seem the issue with Client Device and Server communcation. you need to further check events on the server for any Device connection issues.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The user ID of S-1-5-18 corresponds to a local system account, and the process ID of 736 points to SamSs (security Accounts Manager).
ASKER
The user ID listed is a local system account, which narrows down the devices. Using wireshark, I was able to find the culprit searching for all traffic instead of just SSL.