Avatar of akyuen
akyuen
 asked on

Schannel error 70 on Exchange CAS and Mailbox servers

I noticed that my Exchange CAS and mailbox servers (running Exchange 2010 on Windows server 2008 R2) are filled with Schannel Event ID: 36887 errors (The following fatal alert was received: 70).  I've read that these might be the cause of SSL errors; however, I've installed and run WireShark but don't see any SSL related errors.  In the event log, the errors occur consistently at equal intervals every minute.  Any ideas on what could be the cause of these errors? Here's a sample of one of the errors:

- System

  - Provider

   [ Name]  Schannel
   [ Guid]  {xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}
 
   EventID 36887
 
   Version 0
 
   Level 2
 
   Task 0
 
   Opcode 0
 
   Keywords 0x8000000000000000
 
  - TimeCreated

   [ SystemTime]  2017-03-15T04:08:34.094792700Z
 
   EventRecordID 307600
 
   Correlation
 
  - Execution

   [ ProcessID]  736
   [ ThreadID]  788
 
   Channel System
 
   Computer EX2010-Mbox.domain.com
 
  - Security

   [ UserID]  S-1-5-18
 

- EventData

  AlertDesc 70
* WiresharkSecurityWindows Server 2008

Avatar of undefined
Last Comment
akyuen

8/22/2022 - Mon
Gaurav Singh

it seem the issue with Client Device and Server communcation. you need to further check events on the server for any Device connection issues.
ASKER CERTIFIED SOLUTION
Tom Cieslik

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
akyuen

ASKER
The user ID of S-1-5-18 corresponds to a local system account, and the process ID of 736 points to SamSs (security Accounts Manager).
akyuen

ASKER
The user ID listed is a local system account, which narrows down the devices.  Using wireshark, I was able to find the culprit searching for all traffic instead of just SSL.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23