We help IT Professionals succeed at work.

Schannel error 70 on Exchange CAS and Mailbox servers

7,242 Views
Last Modified: 2018-02-02
I noticed that my Exchange CAS and mailbox servers (running Exchange 2010 on Windows server 2008 R2) are filled with Schannel Event ID: 36887 errors (The following fatal alert was received: 70).  I've read that these might be the cause of SSL errors; however, I've installed and run WireShark but don't see any SSL related errors.  In the event log, the errors occur consistently at equal intervals every minute.  Any ideas on what could be the cause of these errors? Here's a sample of one of the errors:

- System

  - Provider

   [ Name]  Schannel
   [ Guid]  {xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}
 
   EventID 36887
 
   Version 0
 
   Level 2
 
   Task 0
 
   Opcode 0
 
   Keywords 0x8000000000000000
 
  - TimeCreated

   [ SystemTime]  2017-03-15T04:08:34.094792700Z
 
   EventRecordID 307600
 
   Correlation
 
  - Execution

   [ ProcessID]  736
   [ ThreadID]  788
 
   Channel System
 
   Computer EX2010-Mbox.domain.com
 
  - Security

   [ UserID]  S-1-5-18
 

- EventData

  AlertDesc 70
Comment
Watch Question

Systech AdminChief Technology Officer
CERTIFIED EXPERT

Commented:
it seem the issue with Client Device and Server communcation. you need to further check events on the server for any Device connection issues.
IT Superintendent
CERTIFIED EXPERT
Distinguished Expert 2017
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
The user ID of S-1-5-18 corresponds to a local system account, and the process ID of 736 points to SamSs (security Accounts Manager).

Author

Commented:
The user ID listed is a local system account, which narrows down the devices.  Using wireshark, I was able to find the culprit searching for all traffic instead of just SSL.