Windows 2016 Event 36874

Windows 2016 Data Center
Exchange 2016 CU9 DAG 2 Node

On Node 1 I am getting this event daily

Log Name:      System
Source:        Schannel
Date:          9/1/2018 11:13:28 AM
Event ID:      36874
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      TGCS021-N1.our.network.tgcsnet.com
Description:
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
    <EventID>36874</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2018-09-01T15:13:28.251545400Z" />
    <EventRecordID>67625</EventRecordID>
    <Correlation ActivityID="{5363E8EE-35C9-0003-56F1-6353C935D401}" />
    <Execution ProcessID="716" ThreadID="22912" />
    <Channel>System</Channel>
    <Computer>TGCS021-N1.our.network.tgcsnet.com</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="Protocol">TLS 1.2</Data>
  </EventData>
</Event>

Open in new window



Node 2 no problem

I checked my registry see attached

Thanks in advance
event36874.PNG
LVL 23
Thomas GrassiSystems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
Looks to be a remote client attempted a TLS connection to your exchange server and it failed. TLS 1.2 is default on Windows 2016 and Exchange provided all parameters are met. See below.

Exchange Server 2016
Install Cumulative Update (CU) 8 in production for TLS 1.2 support and be ready to upgrade to CU9 after its release if you need to disable TLS 1.0 and TLS 1.1.
Install the newest version of .NET and associated patches supported by your CU (currently 4.7.1).

Windows Server 2016
TLS 1.2 is the default security protocol for Schannel and consumable by WinHTTP.
Ensure you have installed the most recent Monthly Quality Update along with any other offered Windows updates.

See below link for more info on Exchange 2016 and TLS 1.2
https://blogs.technet.microsoft.com/exchange/2018/01/26/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

1. I am running CU9

2.  .NET 4.7.1 already installed.

3. Windows updates are done from my WSUS server and they are all current.

If there a special updates I should look for?

Is there a setting missing?

Both nodes have the same updates NODE 1 has issue and NODE 2 does not

Thoughts?
0
timgreen7077Exchange EngineerCommented:
test that TLS 1.2 is being used. send a test email to an external domain and look at the headers to verify that TLS 1.2 was used. then do the same thing by send an email from an external domain into your org and review the headers.

also the article is a 2 part article so review to be sure your reg keys are correct and so forth.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

timgreen7077Exchange EngineerCommented:
also the error didn't tell you what client app, so your exchange may be fine but the client is requesting ciphers that isnt in your exchange server. don't always try to fix exchange because of client apps. everything isn't resolvable or should be. if there are no one issues or complaints something you have to let go or you will be chasing error or false/positives forever.
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

Received: from CO2PR07MB2584.namprd07.prod.outlook.com (2603:10b6:405:3b::44)
 by BN3PR07MB2577.namprd07.prod.outlook.com with HTTPS via
 BN6PR04CA0055.NAMPRD04.PROD.OUTLOOK.COM; Sat, 1 Sep 2018 18:26:45 +0000
Received: from CO2PR07CA0074.namprd07.prod.outlook.com (2603:10b6:100::42) by
 CO2PR07MB2584.namprd07.prod.outlook.com (2603:10b6:102:13::23) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1080.17; Sat, 1 Sep 2018 18:26:41 +0000
Received: from BL2NAM02FT028.eop-nam02.prod.protection.outlook.com
 (2a01:111:f400:7e46::209) by CO2PR07CA0074.outlook.office365.com
 (2603:10b6:100::42) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1101.16 via Frontend
 Transport; Sat, 1 Sep 2018 18:26:41 +0000
Authentication-Results: spf=none (sender IP is 209.85.216.197)
 smtp.mailfrom=tgcsnet.com; fdu.edu; dkim=none (message not signed)
 header.d=none;fdu.edu; dmarc=none action=none header.from=tgcsnet.com;
Received-SPF: None (protection.outlook.com: tgcsnet.com does not designate
 permitted sender hosts)
Received: from mail-qt0-f197.google.com (209.85.216.197) by
 BL2NAM02FT028.mail.protection.outlook.com (10.152.77.165) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256) id
 15.20.1101.10 via Frontend Transport; Sat, 1 Sep 2018 18:26:39 +0000
Received: by mail-qt0-f197.google.com with SMTP id u13-v6so19565913qtb.18
        for <grassi@fdu.edu>; Sat, 01 Sep 2018 11:26:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:from:to
         :subject:thread-topic:thread-index:date:message-id:accept-language
         :content-language:mime-version;
        bh=3UVnlc5SV4pK/BzO1iYyqXgUycdxL1Q1HHSZAHsDLB8=;
        b=bJXhLVPT14rY4hEFH7teGEfYvvkoqhGC43nGjmJtF77GwEki/edAqau+PVYwTWrFat
         WumC5csShlPGaixrjIj25PlwZ7w1tOOmyyY1usMbdxgojL1pRaTm5tkivcvFjCNL+TGw
         MH84V1Xumx6meynaTKShfi22HUu6vVswZ6TnninaQjkIaiWOUsu6sgWMxW2YY9D+l1/f
         2KU1DSDb0TE4yV4jv6PDQma/l8DAOs39GygG5LP63WGb3nqQBha16imrUcPAsnVzAjQ2
         EtyLKybOMXSWanNc7klF48aZs9fmpd5UePDu7pOrzOPE7tvkMOwPGp0bawCOCO9X/LpJ
         wGaw==
X-Original-Authentication-Results: mx.google.com;       spf=neutral (google.com: 96.234.33.200 is neither permitted nor denied by best guess record for domain of thomasrgrassijr@tgcsnet.com) smtp.mailfrom=ThomasRGrassiJr@tgcsnet.com
X-Gm-Message-State: APzg51AGCxMcukjiUzWwXCv6Q0h/4Gm+2C/c8BDJzWDnrDBN2wRyWX6T
	/F0hypikjxZyD92IRb3Jn5LSM0ULjlXbVZHRCDtUex82/9WxwyyakHhpn/Mftzu0KcCVAAhMnzD
	SQr4baKl6O2WOaisSlWdCpNPjH93sgpVMAknzIHumvppVo1sFq8i/hdwJx1WOcQ==
X-Received: by 2002:a0c:c503:: with SMTP id x3-v6mr19755413qvi.82.1535826399396;
        Sat, 01 Sep 2018 11:26:39 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdbBpZ/h9gQM7rhe4r72CwnRb8SRl/S+Zust9Kz0A3uvxgLaVkkhsmnopRyiJwdLvGJUoYqh
X-Received: by 2002:a0c:c503:: with SMTP id x3-v6mr19755395qvi.82.1535826398664;
        Sat, 01 Sep 2018 11:26:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535826398; cv=none;
        d=google.com; s=arc-20160816;
        b=DbtMjrHPLj+mGBXg5a3T5wxWVmI3UTj7qxCphJRrHvP5ssIgVwKEaaWF056KX+pR/x
         lmK1R5bAtF17FoQcjdEPzybX6R1ODB42Qj3Ppzqfm3y/LxnMr3lMiNyNfcufDyXpToog
         n5luPINWwGfRoR89LjcprUSlc0COSa5Mi7+5l+OtOLilisTiqoAQUR2kqD2kNYwEjjjX
         2pZm+1VhAp0VERc2phmemjT1mhmtoi5cIL5tldKFfgaCHL2B0By3pBepQoJkAMm6nfSe
         OJ3NAetzMxJiQiajlEZvoAR/PktVuCFHKvPcG9/oj8PDzvwxngGPrrbAfVuTU000xvEl
         ppnw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:content-language:accept-language:message-id:date
         :thread-index:thread-topic:subject:to:from
         :arc-authentication-results;
        bh=3UVnlc5SV4pK/BzO1iYyqXgUycdxL1Q1HHSZAHsDLB8=;
        b=OuEQwrnFqRxDnc7mk8K7fzCYlxkq/zHe6M+BM50u0uFndImVxapTzeZUyVR/eZVGwX
         1tP6bgJZFFVVKQIGUYa7ERKZ7QUNmv34e3Ldf23MfYwN3A29w5uo5/xx0dTFaOsZfK9h
         ijsMna5Rqfc3tZd0bg1SUQ0qdcgOxhvQus2Spta1vSQhteSpYCrMZJ0A7XezfuxU9xyL
         TPeJekaA+QibiSg8yRxlaDbGPdLm3Nx9cTmQ6UwqPzB43hpOSJtyFK/OBiuVghty3BqH
         JkPokFNRF+Wroojrg0E4XizOiOykVmCljrpSPg3fyN7bpN+z8kl/9B1YMttTxtXJ0dZO
         OXqg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=neutral (google.com: 96.234.33.200 is neither permitted nor denied by best guess record for domain of thomasrgrassijr@tgcsnet.com) smtp.mailfrom=ThomasRGrassiJr@tgcsnet.com
Return-Path: ThomasRGrassiJr@tgcsnet.com
Received: from TGCS021-N1.our.network.tgcsnet.com (static-96-234-33-200.nwrknj.fios.verizon.net. [96.234.33.200])
        by mx.google.com with ESMTPS id z2-v6si595107qvi.288.2018.09.01.11.26.38
        for <grassi@fdu.edu>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 01 Sep 2018 11:26:38 -0700 (PDT)
Received-SPF: neutral (google.com: 96.234.33.200 is neither permitted nor denied by best guess record for domain of thomasrgrassijr@tgcsnet.com) client-ip=96.234.33.200;
Authentication-Results-Original: mx.google.com;       spf=neutral (google.com:
 96.234.33.200 is neither permitted nor denied by best guess record for domain
 of thomasrgrassijr@tgcsnet.com) smtp.mailfrom=ThomasRGrassiJr@tgcsnet.com
Received: from TGCS021-N1.our.network.tgcsnet.com (10.2.8.17) by
 TGCS021-N1.our.network.tgcsnet.com (10.2.8.17) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.1466.3; Sat, 1 Sep 2018 14:26:17 -0400
Received: from TGCS021-N1.our.network.tgcsnet.com
 ([fe80::15aa:fcea:e256:46d3]) by TGCS021-N1.our.network.tgcsnet.com
 ([fe80::15aa:fcea:e256:46d3%4]) with mapi id 15.01.1466.009; Sat, 1 Sep 2018
 14:26:16 -0400
From: "Thomas R. Grassi Jr" <ThomasRGrassiJr@tgcsnet.com>
To: "grassi@fdu.edu" <grassi@fdu.edu>
Subject: testing TLS 1.2
Thread-Topic: testing TLS 1.2
Thread-Index: AdRCIUB8HXOj/GQVQX6mnrhFZfN2uA==
Date: Sat, 1 Sep 2018 18:26:16 +0000
Message-ID: <5b0bbbaa2ac54e8fb715329609256d54@tgcsnet.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.2.8.69]
Content-Type: multipart/alternative;
	boundary="_000_5b0bbbaa2ac54e8fb715329609256d54tgcsnetcom_"
MIME-Version: 1.0
X-MS-Exchange-Organization-ExpirationStartTime: 01 Sep 2018 18:26:40.3175
 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: Original Submit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: Original Submit
X-MS-Exchange-Organization-Network-Message-Id: 4c3ad8ee-d096-46ac-24d8-08d6103875fc
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 3224fad9-4bcc-4d47-ae98-86ea3c6b3b13:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Forefront-Antispam-Report:
 CIP:209.85.216.197;IPV:NLI;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(8156002)(2980300002)(428003)(189003)(199004)(336012)(54896002)(1730700003)(7736002)(6306002)(7636002)(356003)(72206003)(3846002)(790700001)(6116002)(5250100002)(80792005)(6916009)(246002)(7116003)(5660300001)(2171002)(8676002)(34756004)(16003)(30436002)(7596002)(1096003)(59646003)(59536001)(59286002)(2160300002)(93516011)(108616005)(24736004)(2900100001)(95326003)(7696005)(84326002)(86362001)(2616005)(476003)(126002)(426003)(5640700003)(36756003)(1240700005)(26005)(102836004)(59656003)(106466001)(564344004)(260700001)(5000100001)(486006)(14454004)(2501003)(16586007)(2351001)(4546004)(105586002);DIR:INB;SFP:;SCL:1;SRVR:CO2PR07MB2584;H:mail-qt0-f197.google.com;FPR:;SPF:None;LANG:en;PTR:mail-qt0-f197.google.com;MX:1;A:1;
X-Microsoft-Exchange-Diagnostics: 1;BL2NAM02FT028;1:pjMXTT23xqPgAGCMtTl5SDLJfPieaDvgaivOlF9o9CLTz4IRfPB+NSbESVaKtf8uPwVYuNYfl5GjsDBlBpOIn6HjVZ+mcweaSuM2iRr5UmgFMQfZbpHhEXOtzN6/blrA
X-MS-Exchange-Organization-AuthSource:
 BL2NAM02FT028.eop-nam02.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4c3ad8ee-d096-46ac-24d8-08d6103875fc
X-Microsoft-Antispam:
 BCL:0;PCL:0;RULEID:(7020095)(4652040)(5600074)(711020)(4605076)(1401180)(71702078)(7193020);SRVR:CO2PR07MB2584;
X-Microsoft-Exchange-Diagnostics:
 1;CO2PR07MB2584;3:j1GlYG7k1nBb7P3isMMOG2nr+6sKVpZafwzKTGaKEsgPTRYuJNkOilzHHrXTcF9kyeVhl+HdVPkPESIqyPTRWJ5AiBA8+Aa2F2NEV8n4I/ARUSUgM/ttE1RJOMbTDESsux+iiW0V9ayH7QI8dZpyHQJxb+PBcb8pBO5xkKPkF8Dlyo+H3a3uswYwIiuXvAXH95ZZcsVr4bypInfeu8duDNDY93YkihiNGev2W9plrOnJWCPHjeFRQzbSi3mgUJ1xeF2X4rbVERy9qsvgaeLHoQ/G3424hwrQA2wWwqBnFhFN4u6zoe7bobGmgI8DzlxdIGg6E99+UpJr5/XcT7Mn6QxBANxyEjaRZB0cG9N9fAk=;25:DXTfl3wYYpJFVUTc2/11JlnIwQzHa87kTr67Vt+9M9MJnFwzGD2SL3Fs8afkQXUFvQ9q0tWBvBxsDnN/JxMWd5tlP3iOrz18XyRSbKSQejqSrpNTNnnw5MjphNcCq2FMZuy/8Y2awGPlUZAPu1XGgg52CcJdV0Of7qB1YaDjSpys7RUhCRmZGRfOunBmtDeDXUAW4+F5HMA/roXCKyUnJ80igo+tX7gMJOir2M+xxcEANiBzYN+tuJ6aRHRjQ5NLCLxvjZ4crlnUO5D0NwLO/9aV3J5rWxnNkdf38Tv6atddJ7LYBcqUJtueh29FRTZegFd+uosm3vddQEh7WNoaaw==
X-MS-TrafficTypeDiagnostic: CO2PR07MB2584:
X-Microsoft-Exchange-Diagnostics:
 1;CO2PR07MB2584;31:NxrF9JOy8aEPbnOmA3CH1rVvCa5BwR3AkrXq1hcvKSgtpWjsGmTFAEFVZroZXvTVBP9EqOmW+dyBJkKolliMCLIiE1M7EQ2zn8+RQDyDdoJCTS69VAN+wC3H7lROutj9UzZhtKhZG5yQIbYQZp9YQSDIBsPvOoW8roI97a34lB4RvvmOsPVcYCDVAtG7TNhVaRySJgkdyTI5fl1Pa3rTUsrzT9thUJaFyB+ypG2CCjM=;20:j/3+0WyDAztnnqQ0EPIQWZtBLT/97EVE0Xohfnw1BLuT4fNE5EycrvLB0JDWojFHkRpm4ceBiMoYjVqV8oeOjD2zFgJbvjIP3awqGzRMtQYV3zItIYkz4vd7WZXH3q0LfIew3FXS87IgO9u1DzPMDyuCAa0rCIQ9EAlxeU9ePHEHbZRpXNp0ixqvCJVjMO/B93HwYbaTa+a6AIDsyBHAsDpr0sMYk6ub8cqEVjngBXFoeolH2gPhzE1cvS00534BGcoySUu/q24VHy/ylX1U5gJdQW0JYZMsEii5Zui2AO+GCxlMNxyWkyAPve+JSpDfN8eKTl9viEhEz/2d62YSwLeM0h2gByh3nb8byMzt3eUd8esSwQOcrHfTidMdflMxZsaSIg9q8LwpX28lM17xHJ+ShQg5318AP4+IvbYn5NNAbE2CXVCit4SxPVl9H+gdsZ0f399Gc/3SsXES6rAi+PQ68K+EEWFBZjxPdLlAJWN+jtxgNRCT6jiMe4HBlF9O
X-Exchange-Antispam-Report-Test: UriScan:(28532068793085)(21748063052155);
X-Exchange-Antispam-Report-CFA-Test:
 =?us-ascii?Q?BCL:0;PCL:0;RULEID:(8021118)(8001254)(8003045)(8040027)(8004?=
 =?us-ascii?Q?108)(8007045)(2018062399030)(2018011200283)(2401047)(8121501?=
 =?us-ascii?Q?046)(52410047)(2018011210174)(2018011211064)(2018011212028)(?=
 =?us-ascii?Q?2018011213028)(2018011214028)(2018011215028)(2018011216028)(?=
 =?us-ascii?Q?2018011217028)(2018011218028)(2018011219092)(2018011220252)(?=
 =?us-ascii?Q?2018011221063)(2018011222027)(2018011223027)(2018011224027)(?=
 =?us-ascii?Q?2018011225035)(2018011229035)(2018011230256)(2018011231158)(?=
 =?us-ascii?Q?2018011232269)(2018011233052)(2018021202149)(98810176)(20180?=
 =?us-ascii?Q?21203149)(98815176)(1430482)(1431068)(1500222)(8020062)(8030?=
 =?us-ascii?Q?027)(8008073)(8028028)(8029027)(8041027)(8042027)(1437138)(1?=
 =?us-ascii?Q?551054)(823300264)(823350442)(823411253)(9101536074)(1020150?=
 =?us-ascii?Q?1046)(3002001)(3231311)(901025)(902075)(913088)(7045084)(944?=
 =?us-ascii?Q?500087)(944510158)(944921075)(946801078)(946901078)(93000001?=
 =?us-ascii?Q?66)(9301004277)(52103095)(52105095)(52106170)(52408095)(9882?=
 =?us-ascii?Q?1027)(98822027)(52401380)(52601095)(52505095)(52406095)(5230?=
 =?us-ascii?Q?5095)(52206095)(88860193)(1102011)(93006095)(93003095)(16100?=
 =?us-ascii?Q?01)(8301001075)(8301003183)(201708071742011)(7699016);SRVR:C?=
 =?us-ascii?Q?O2PR07MB2584;BCL:0;PCL:0;RULEID:;SRVR:CO2PR07MB2584;?=
X-Microsoft-Exchange-Diagnostics:
 1;CO2PR07MB2584;4:SCwevgCX1d6QFJwEVAkR2mmKezexbxpQGam/WpEAKOR//36pPspTmO0ctB9NhPBq030WQHt1ITBvJtF6lJ5hNIFJooOW4gyaRc0fMnQfQio9NBpjTliOO/5nbXfQRYibDXjLJmqoDQ66ixkouLy+TTJVQWAsyn/RLGdFee54zRn6hundcJcjAuUuly9VNdtKwZqc5Cv3t5CAiOMfrsYuLRzRbhPlOERtifOUqQA0VEOwKaQDrPfev0sHUDch1p+ix1EwJvqmMkLHcPV4MkS5qTmWu3j/I/s5F50DRlc6Tx7Uj3WfXVA88UUg+dDxjguEaF2i7ko+ujTsYI1/ec5YHx25FyXXvE0SbENpC1LQ2zw=
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Exchange-Diagnostics:
 =?us-ascii?Q?1;CO2PR07MB2584;23:dB05+FhjbkOr174yxbJXiNyWSRve8bl6/5kW66MKk?=
 =?us-ascii?Q?KeMN55mYkb7hgmSW7XyfCjvhZ2YcQUBSq2/3O1K2I9TGkVtHDVEmAigaB9pt?=
 =?us-ascii?Q?8sOkwFVy1s2609BTFcydMhdNRjsC0FojRh1P3AvqOdvZZLb/Xy1CW/bodMnb?=
 =?us-ascii?Q?pt5GxEuqIb0RHnHzQv0FTxf+HX3+tq+rU5H6wBIz3PmfXA9hyz5a7NwP81e+?=
 =?us-ascii?Q?8fB1K3Y0qGjdhtKeHWp6+LUtiwSoOUqOps/O3N2GoIU4+OoIHp+plTVwL2sg?=
 =?us-ascii?Q?xucKgoqEOiFXeFO5UsEhZ2z3m4THNNhnRCr18jfHwbNHthZ9A9SB78WLvzY0?=
 =?us-ascii?Q?aSNq9PUF0WJCTEbUak1UInLX4g40lGT8xFa9qyeVBTG+OO4mbpUnHeYq3kmD?=
 =?us-ascii?Q?MWPz5cnVwggnd40mL8YxMDzyqvFMbTvL1K0+E0TmvKN1cJwPjEsBdVM0XgEP?=
 =?us-ascii?Q?otzSHFkB3nnNrlHM+JyMRDa1PX2VkyZGev5Aai2Z+gyLu2N/1gvfsENnuL5g?=
 =?us-ascii?Q?rziYVco5sTBY3RJhO786wC/tY7C4Q8KQ/nsqs5/G4Vg6jtpPHUg0UdXJT+ze?=
 =?us-ascii?Q?X9RsQv/7Sb/d1RCEP9ceBOPm5GgFsmue362Wb/rqD25CFI9YnKNn2wGjEzOz?=
 =?us-ascii?Q?QSLtN3hRW6+ODmyO6g5qVkxINwN1P1I5VmiaZHrSFS7NZnWg0dg3ZvKt6SEk?=
 =?us-ascii?Q?elwoqeRL/Is+Tcj8kYk2Q1pUILz8D1Iqm6TqUTxUviIxAFJIi1OCjOSUz5DW?=
 =?us-ascii?Q?jUmZ3Woeq0pg4/ef1/j4iKsmoFpvSkKlW0/8mHu7HQzpH5hrK/h3YezY4Rdu?=
 =?us-ascii?Q?8MAdJmNF3sfrjvxJG2iTTcygLELJf+3MQ8+qUldbeRRW3tJuNq7YM48k0a4g?=
 =?us-ascii?Q?zfLuavrniQIY8c03qAVJ+I72mklxbB0oW2y5XHrRA1y4efNAi4xKQNYSb/PO?=
 =?us-ascii?Q?oHIgm2XjNdblEeQ3wOnqp+rKonnyoPaUK5yfMqkKxBH33iFmjsRX+nKy5MtX?=
 =?us-ascii?Q?F/VhCsfNLwTUFflGsGElyvIDfxczu5ZBbKfzI7I9I7dVxdd9eR2opIx7q6KO?=
 =?us-ascii?Q?gs1rwwvt8pfsaSkmhu6+Onm0I97JYsj3vlCMOjad4FfAnJhVXuZOP6WuoVU6?=
 =?us-ascii?Q?UyXkbk6iXrNzCsG5c5Y2TgotBMVeBfLqnJwENO+89hvCKpLaU0oYWLokKc11?=
 =?us-ascii?Q?mtwY+tcXoH0TrXArC3aNr6omMs7w227ZK2LjsJoaciZEziuB+lASkyKcCKuf?=
 =?us-ascii?Q?JiW7axzw4ibebYEo6rNangCg1EE6NfSEyExmQK4nhU7COZLaLTOmnu4o2f08?=
 =?us-ascii?Q?w8a24LDo4gri+ZgMJdY+cGfG1EXZQHRTdg5zDrX6ztkukP2MHsp0K9jru06I?=
 =?us-ascii?Q?xMD9AYybhh4jCkvCnPASskKAUW/XtNERGXeofK6Lfrh2anI?=
X-Microsoft-Exchange-Diagnostics:
 1;CO2PR07MB2584;6:MU76bu3MllmktgZeHVg/LOPnVEcc34hnPuF1wDcGQ62YS9NTuTFA5e5l2+wcWaFQb/qrTUggsm114Hf/sKeNHlfqoai8KCF/UUo6WCFrfCUxkh8LgcUqJh+hWVOX9X3xc/fYlfSNHCttVDUrUXoYulh4ZQURgzHwvS+56Bjj5gzaDcWZxCfo0uIrI4VYX9tqLxcqf5vsyVxkqKgZQFDWIt0bB9BKbNJzZVq/fVUipaK2tEDxoB+KWzPeL0+azYRskWaeyCXON9f1umaa3gXyyvkn54hTLuJlNYv+dG4qvI+u5z87y5WegXIwxc3NnFD9a81ZsNiPHpRCrn3uyYOqSLycg3Y3lctWjbeerg3UPuK/WXqUXIeuZSpDDfWx5NfOXF5Gxg+2jN3jw8oQqAZoQxYXMRNH54hlUMPqrRJhtOsYwBUd2OW/QrQ/ICtIXz9ckyYtVU/Ipr5eUw274yYJpA==;5:dX4lyFH3eUKyIlSQjOEZojJmNRejQt8a+RuoxCxhCTaoPBlQYNc1FK4WfzooudkqQeeYXl8XDDSopwEuS765CilxbHUTcbCmey/sWnnlqauxDeT8LWySlpmoDmpAcDwwxsIst8o8iyTdQ9JfuVPWyI99kBUbaoTMQefkgBriJ4w=;7:A/3QFqgqpURg7c1AQSHuV8c88N+SHeqsDPG6ggozk9/ZGVpXX+z+OlX4gxu6BlK5YJLokwxknp3gPNNHSXmeC1zIBm1qThBrDn9UO/4pbuvncTh0hNDLFFdJXK9/t8J895VVv2gnFtKw94UO31O9xXjarDP9WoQ4IlNA0B6L41LLbyGEyizdCoQTItMJgf77uXI0y4S4L1zTgeRzFtOh0Vbut3Ylj9B1CGpT+vOxzDS0KDT9m4KFq02PzrgVDvEU
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Sep 2018 18:26:39.9581
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4c3ad8ee-d096-46ac-24d8-08d6103875fc
X-MS-Exchange-CrossTenant-Id: 3224fad9-4bcc-4d47-ae98-86ea3c6b3b13
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR07MB2584
X-MS-Exchange-Transport-EndToEndLatency: 00:00:05.8439329
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1080.019
X-Microsoft-Exchange-Diagnostics:
	1;BN3PR07MB2577;9:6Y8/EO/+JzneX/2+idg3pIATkiDz763c/ogngQ2XAfOriz70UZbmRrBlpmedMFlHhiTfqlyUYhgC1/JxFZuu4lKis28j/gaCqSfv9MF7SSek82YUx9JzMP0YaPAR8ksQ
X-Microsoft-Antispam-Mailbox-Delivery:
	ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(20160514016)(750119)(520011016)(944506301)(944626516);
X-Microsoft-Antispam-Message-Info:
	JeHfpSsh24j4VsQTC+irEX5Z5rnHHITWMU3LtuuMYlpRmyBD6M2cyrWSKG1zDuNWce744EIslAbRxr7odOuQAwOufCnde54Sbbe+pzo9ROspiluHZ5Oz/dSsvF6NHoMmSHsb4WmgrApBLjY2jmTS7igU2dy5QaM6eT7X9Uay8h7QXI6bo9Lp1dCv3eG5vPRDmJi7k1KrLy5V8EQimvQv2vkCQajniCJzieyYVuWhktg9xN/B3fuscxH1RsBP8aRfmP0URs+JqK9o8o9QBikXee4rmE0ekYr/YM+JO4EARcy8f6g2m/kWRKFA1X/tJYj4dibTYh08N/bXab36y4zxiQ6z5ohQZpvf+U/f1T6v1Q5my5Z81A29jmNUjaRkFCvd1Cmh/xxmanNEUuVOPLQMgiG3h4xk7wcGovL2cdC18pyYVYuOKDtwrnHdgmjOsKbzUS0rzlYS40CQrC2YfXfeu5ZOHWL8ZJ1V6DCzx8wd9TgMdXs4zauq+7YBJersB4IbZmdX0zr2ZejBLGWxTcw8gdg72dNFRHNmf2zW5TQgbUJYnrqakR0fZITLQobe2DeUQOEPkVWV1dR+IN15Aaq3eBrfMd6dUbuAZDGhMfnuV145vPazJwR4h5zy3SAnX9hnX1LvRT26SOtkq6Mn5v2vkNx/I60l3Sl9VVZlxst3g1M0/ykuB4RZmp/YbK8w8QVZhFAPfmz2XF4YsvzywK33gVw6beFwGjeYbsrjAs45w6oLrLs01jdS/P5r2PH4DLRpTnqzNxdW70f86aD914gpVGX3YWb3U+fQLnc7HUbEze08+p9KBThtIMkXebNLJoSM58SqXOyfQMvvCXRMyLGlsg==
X-Microsoft-Exchange-Diagnostics:
	1;BN3PR07MB2577;27:bXjHGgYeSrCH6j06853NrAeHjM/Zv8+zoUfCmjSyUQf24avjwnXSgHZwBOjpmYnoOi3M71VQILDUpPeWVBOKtH3qKn2eEsoEeHscsKYGFe/527YQDqZgQ8Ke2hG10xFMDzJ0iUZ4yLLDH/pClfAYi47OwCaSAUnPDNzwLiNdItJGA+We8OakV81G7yfF/3EOrWW0m8FYLeC4GRdiIq7PeayZXn2u5Y5KGL5t3p8qsYxPWqRQaHwxexNZk3AaQRoBhbTZ46foOeR6mW4pDZpbfo2ReiQpMSSEqFFA156TOgGMwcThenEB9Jt9Zx5wP3SGlIkJMIe9FayazdEhPdGtlcUXP1qWQ2ophVdL2hvW+kH5RAWUwQrY/1OhbqBNuSFz2LMl7RnnI51C/hw5MTjr8A==

Open in new window



I sent email from my outlook 2013 client  internally to my work email address which we are on Office 365 cloud no on premise exchange there  and I use Outlook 2016 there
0
timgreen7077Exchange EngineerCommented:
According to those headers, TLS 1.2 was used, so your exchange is setup to use TLS 1.2 as it should be. Review part 2 of that article in regards to schannel and see if that helps.

https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

My registry entries look ok to me

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
Server
default
DisabledbyDefault  0
Enabled 1

The .net part is confusing      all listed just have default  with no value set.

see my attachment

Thoughts



Also i checked the headers on some incoming emails and they all are using TLS 1.2
event36874reg.PNG
0
timgreen7077Exchange EngineerCommented:
If there are no set values it will get take the value from schannel and according to yours the SChannel is set to enable. So TLS is active on that server. You should see if you can find out what client app requested that connection if possible in or at least what cipher it was attempting to use. Disregard is there are no issues in your environment as a result or try to figure out what applications attempt to access your exchange server.
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

How am I suppose to find out which client is doing this?
0
timgreen7077Exchange EngineerCommented:
if it's not in the event logs then I dont know. you will just need to know what applications are attempting to connect to your exchange server.
0
Thomas GrassiSystems AdministratorAuthor Commented:
All users are using outlook 2013/2016 on windows 10
No older machines

All use IPhones androids iPads tablets

That's all my know
0
timgreen7077Exchange EngineerCommented:
That error isn't from outlook, that looks to be maybe from a 3rd party app.
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

I am running ORF Fusion in both exchange servers

Spam filtering program

Thoughts
0
timgreen7077Exchange EngineerCommented:
Just suspend that app and see if the errors go away, but also how often do you get that error? If its not often then its unlikely to be ORF Fusion since you would get the error more frequently, but also, I wouldn't run that app on exchange anyway. If that could be run on a separate server, that is would be recommended. If it can't be then understandable, but I would avoid running any 3rd party apps on Exchange.
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim,

I am still getting the 36874 and only on NODE 1  it happens just once a day now.

Happened with ORF disabled not the culprit

ORF running now

Something is not setup right or this event is not being trigger properly

Any ideas
0
timgreen7077Exchange EngineerCommented:
could be a false/positive and since you dont know which client is attempting to connect , then it's difficult to pin down. if it happens at the same time once a day then research inside your org to see if any admins have a process running that hits your exchange server. they may have updated and app that is now causing this or something. just have to talk to app owners.
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

It happens a random times of the day never the same time
0
timgreen7077Exchange EngineerCommented:
gotcha. unfortunately if you feel you need to find this issue, you may need to do some footwork and find out what are all the apps attempting to connect to your exchange servers since the alert doesnt give any IP addresses or server names.
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim
I found it

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Set Value to 0 stops the logging of this event.

Thanks for all your help
0
Thomas GrassiSystems AdministratorAuthor Commented:
See last posting
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.