Avatar of akyuen
 asked on

Schannel error 70 on Exchange CAS and Mailbox servers

I noticed that my Exchange CAS and mailbox servers (running Exchange 2010 on Windows server 2008 R2) are filled with Schannel Event ID: 36887 errors (The following fatal alert was received: 70).  I've read that these might be the cause of SSL errors; however, I've installed and run WireShark but don't see any SSL related errors.  In the event log, the errors occur consistently at equal intervals every minute.  Any ideas on what could be the cause of these errors? Here's a sample of one of the errors:

- System

  - Provider

   [ Name]  Schannel
   [ Guid]  {xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}
   EventID 36887
   Version 0
   Level 2
   Task 0
   Opcode 0
   Keywords 0x8000000000000000
  - TimeCreated

   [ SystemTime]  2017-03-15T04:08:34.094792700Z
   EventRecordID 307600
  - Execution

   [ ProcessID]  736
   [ ThreadID]  788
   Channel System
   Computer EX2010-Mbox.domain.com
  - Security

   [ UserID]  S-1-5-18

- EventData

  AlertDesc 70
* WiresharkSecurityWindows Server 2008

Avatar of undefined
Last Comment

8/22/2022 - Mon
Gaurav Singh

it seem the issue with Client Device and Server communcation. you need to further check events on the server for any Device connection issues.
Tom Cieslik

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

The user ID of S-1-5-18 corresponds to a local system account, and the process ID of 736 points to SamSs (security Accounts Manager).

The user ID listed is a local system account, which narrows down the devices.  Using wireshark, I was able to find the culprit searching for all traffic instead of just SSL.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.