Schannel error 70 on Exchange CAS and Mailbox servers

I noticed that my Exchange CAS and mailbox servers (running Exchange 2010 on Windows server 2008 R2) are filled with Schannel Event ID: 36887 errors (The following fatal alert was received: 70).  I've read that these might be the cause of SSL errors; however, I've installed and run WireShark but don't see any SSL related errors.  In the event log, the errors occur consistently at equal intervals every minute.  Any ideas on what could be the cause of these errors? Here's a sample of one of the errors:

- System

  - Provider

   [ Name]  Schannel
   [ Guid]  {xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}
 
   EventID 36887
 
   Version 0
 
   Level 2
 
   Task 0
 
   Opcode 0
 
   Keywords 0x8000000000000000
 
  - TimeCreated

   [ SystemTime]  2017-03-15T04:08:34.094792700Z
 
   EventRecordID 307600
 
   Correlation
 
  - Execution

   [ ProcessID]  736
   [ ThreadID]  788
 
   Channel System
 
   Computer EX2010-Mbox.domain.com
 
  - Security

   [ UserID]  S-1-5-18
 

- EventData

  AlertDesc 70
akyuenAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

systechadminConsultantCommented:
it seem the issue with Client Device and Server communcation. you need to further check events on the server for any Device connection issues.
0
Tom CieslikIT EngineerCommented:
It looks like profile or configuration error for user ID [ UserID]  S-1-5-18
Check who from your users has this ID and try create mail profile from scratch.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
akyuenAuthor Commented:
The user ID of S-1-5-18 corresponds to a local system account, and the process ID of 736 points to SamSs (security Accounts Manager).
0
akyuenAuthor Commented:
The user ID listed is a local system account, which narrows down the devices.  Using wireshark, I was able to find the culprit searching for all traffic instead of just SSL.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireshark

From novice to tech pro — start learning today.