Windows 2016 Event 36874

Looks to be a remote client attempted a TLS connection to your exchange server and it failed. TLS 1.2 is default on Windows 2016 and Exchange provided all parameters are met. See below.

Exchange Server 2016
Install Cumulative Update (CU) 8 in production for TLS 1.2 support and be ready to upgrade to CU9 after its release if you need to disable TLS 1.0 and TLS 1.1.
Install the newest version of .NET and associated patches supported by your CU (currently 4.7.1).

Windows Server 2016
TLS 1.2 is the default security protocol for Schannel and consumable by WinHTTP.
Ensure you have installed the most recent Monthly Quality Update along with any other offered Windows updates.

See below link for more info on Exchange 2016 and TLS 1.2
https://blogs.technet.microsoft.com/exchange/2018/01/26/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/

Tim

1. I am running CU9

2.  .NET 4.7.1 already installed.

3. Windows updates are done from my WSUS server and they are all current.

If there a special updates I should look for?

Is there a setting missing?

Both nodes have the same updates NODE 1 has issue and NODE 2 does not

Thoughts?

test that TLS 1.2 is being used. send a test email to an external domain and look at the headers to verify that TLS 1.2 was used. then do the same thing by send an email from an external domain into your org and review the headers.

also the article is a 2 part article so review to be sure your reg keys are correct and so forth.

also the error didn't tell you what client app, so your exchange may be fine but the client is requesting ciphers that isnt in your exchange server. don't always try to fix exchange because of client apps. everything isn't resolvable or should be. if there are no one issues or complaints something you have to let go or you will be chasing error or false/positives forever.

Tim

Received: from CO2PR07MB2584.namprd07.prod.outlook.com (2603:10b6:405:3b::44)
 by BN3PR07MB2577.namprd07.prod.outlook.com with HTTPS via
 BN6PR04CA0055.NAMPRD04.PROD.OUTLOOK.COM; Sat, 1 Sep 2018 18:26:45 +0000
Received: from CO2PR07CA0074.namprd07.prod.outlook.com (2603:10b6:100::42) by
 CO2PR07MB2584.namprd07.prod.outlook.com (2603:10b6:102:13::23) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1080.17; Sat, 1 Sep 2018 18:26:41 +0000
Received: from BL2NAM02FT028.eop-nam02.prod.protection.outlook.com
 (2a01:111:f400:7e46::209) by CO2PR07CA0074.outlook.office365.com
 (2603:10b6:100::42) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1101.16 via Frontend
 Transport; Sat, 1 Sep 2018 18:26:41 +0000
Authentication-Results: spf=none (sender IP is 209.85.216.197)
 smtp.mailfrom=tgcsnet.com; fdu.edu; dkim=none (message not signed)
 header.d=none;fdu.edu; dmarc=none action=none header.from=tgcsnet.com;
Received-SPF: None (protection.outlook.com: tgcsnet.com does not designate
 permitted sender hosts)
Received: from mail-qt0-f197.google.com (209.85.216.197) by
 BL2NAM02FT028.mail.protection.outlook.com (10.152.77.165) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256) id
 15.20.1101.10 via Frontend Transport; Sat, 1 Sep 2018 18:26:39 +0000
Received: by mail-qt0-f197.google.com with SMTP id u13-v6so19565913qtb.18
        for <grassi@fdu.edu>; Sat, 01 Sep 2018 11:26:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:from:to
         :subject:thread-topic:thread-index:date:message-id:accept-language
         :content-language:mime-version;
        bh=3UVnlc5SV4pK/BzO1iYyqXgUycdxL1Q1HHSZAHsDLB8=;
        b=bJXhLVPT14rY4hEFH7teGEfYvvkoqhGC43nGjmJtF77GwEki/edAqau+PVYwTWrFat
         WumC5csShlPGaixrjIj25PlwZ7w1tOOmyyY1usMbdxgojL1pRaTm5tkivcvFjCNL+TGw
         MH84V1Xumx6meynaTKShfi22HUu6vVswZ6TnninaQjkIaiWOUsu6sgWMxW2YY9D+l1/f
         2KU1DSDb0TE4yV4jv6PDQma/l8DAOs39GygG5LP63WGb3nqQBha16imrUcPAsnVzAjQ2
         EtyLKybOMXSWanNc7klF48aZs9fmpd5UePDu7pOrzOPE7tvkMOwPGp0bawCOCO9X/LpJ
         wGaw==
X-Original-Authentication-Results: mx.google.com;       spf=neutral (google.com: 96.234.33.200 is neither permitted nor denied by best guess record for domain of thomasrgrassijr@tgcsnet.com) smtp.mailfrom=ThomasRGrassiJr@tgcsnet.com
X-Gm-Message-State: APzg51AGCxMcukjiUzWwXCv6Q0h/4Gm+2C/c8BDJzWDnrDBN2wRyWX6T
	/F0hypikjxZyD92IRb3Jn5LSM0ULjlXbVZHRCDtUex82/9WxwyyakHhpn/Mftzu0KcCVAAhMnzD
	SQr4baKl6O2WOaisSlWdCpNPjH93sgpVMAknzIHumvppVo1sFq8i/hdwJx1WOcQ==
X-Received: by 2002:a0c:c503:: with SMTP id x3-v6mr19755413qvi.82.1535826399396;
        Sat, 01 Sep 2018 11:26:39 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdbBpZ/h9gQM7rhe4r72CwnRb8SRl/S+Zust9Kz0A3uvxgLaVkkhsmnopRyiJwdLvGJUoYqh
X-Received: by 2002:a0c:c503:: with SMTP id x3-v6mr19755395qvi.82.1535826398664;
        Sat, 01 Sep 2018 11:26:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535826398; cv=none;
        d=google.com; s=arc-20160816;
        b=DbtMjrHPLj+mGBXg5a3T5wxWVmI3UTj7qxCphJRrHvP5ssIgVwKEaaWF056KX+pR/x
         lmK1R5bAtF17FoQcjdEPzybX6R1ODB42Qj3Ppzqfm3y/LxnMr3lMiNyNfcufDyXpToog
         n5luPINWwGfRoR89LjcprUSlc0COSa5Mi7+5l+OtOLilisTiqoAQUR2kqD2kNYwEjjjX
         2pZm+1VhAp0VERc2phmemjT1mhmtoi5cIL5tldKFfgaCHL2B0By3pBepQoJkAMm6nfSe
         OJ3NAetzMxJiQiajlEZvoAR/PktVuCFHKvPcG9/oj8PDzvwxngGPrrbAfVuTU000xvEl
         ppnw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:content-language:accept-language:message-id:date
         :thread-index:thread-topic:subject:to:from
         :arc-authentication-results;
        bh=3UVnlc5SV4pK/BzO1iYyqXgUycdxL1Q1HHSZAHsDLB8=;
        b=OuEQwrnFqRxDnc7mk8K7fzCYlxkq/zHe6M+BM50u0uFndImVxapTzeZUyVR/eZVGwX
         1tP6bgJZFFVVKQIGUYa7ERKZ7QUNmv34e3Ldf23MfYwN3A29w5uo5/xx0dTFaOsZfK9h
         ijsMna5Rqfc3tZd0bg1SUQ0qdcgOxhvQus2Spta1vSQhteSpYCrMZJ0A7XezfuxU9xyL
         TPeJekaA+QibiSg8yRxlaDbGPdLm3Nx9cTmQ6UwqPzB43hpOSJtyFK/OBiuVghty3BqH
         JkPokFNRF+Wroojrg0E4XizOiOykVmCljrpSPg3fyN7bpN+z8kl/9B1YMttTxtXJ0dZO
         OXqg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=neutral (google.com: 96.234.33.200 is neither permitted nor denied by best guess record for domain of thomasrgrassijr@tgcsnet.com) smtp.mailfrom=ThomasRGrassiJr@tgcsnet.com
Return-Path: ThomasRGrassiJr@tgcsnet.com
Received: from TGCS021-N1.our.network.tgcsnet.com (static-96-234-33-200.nwrknj.fios.verizon.net. [96.234.33.200])
        by mx.google.com with ESMTPS id z2-v6si595107qvi.288.2018.09.01.11.26.38
        for <grassi@fdu.edu>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 01 Sep 2018 11:26:38 -0700 (PDT)
Received-SPF: neutral (google.com: 96.234.33.200 is neither permitted nor denied by best guess record for domain of thomasrgrassijr@tgcsnet.com) client-ip=96.234.33.200;
Authentication-Results-Original: mx.google.com;       spf=neutral (google.com:
 96.234.33.200 is neither permitted nor denied by best guess record for domain
 of thomasrgrassijr@tgcsnet.com) smtp.mailfrom=ThomasRGrassiJr@tgcsnet.com
Received: from TGCS021-N1.our.network.tgcsnet.com (10.2.8.17) by
 TGCS021-N1.our.network.tgcsnet.com (10.2.8.17) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.1466.3; Sat, 1 Sep 2018 14:26:17 -0400
Received: from TGCS021-N1.our.network.tgcsnet.com
 ([fe80::15aa:fcea:e256:46d3]) by TGCS021-N1.our.network.tgcsnet.com
 ([fe80::15aa:fcea:e256:46d3%4]) with mapi id 15.01.1466.009; Sat, 1 Sep 2018
 14:26:16 -0400
From: "Thomas R. Grassi Jr" <ThomasRGrassiJr@tgcsnet.com>
To: "grassi@fdu.edu" <grassi@fdu.edu>
Subject: testing TLS 1.2
Thread-Topic: testing TLS 1.2
Thread-Index: AdRCIUB8HXOj/GQVQX6mnrhFZfN2uA==
Date: Sat, 1 Sep 2018 18:26:16 +0000
Message-ID: <5b0bbbaa2ac54e8fb715329609256d54@tgcsnet.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.2.8.69]
Content-Type: multipart/alternative;
	boundary="_000_5b0bbbaa2ac54e8fb715329609256d54tgcsnetcom_"
MIME-Version: 1.0
X-MS-Exchange-Organization-ExpirationStartTime: 01 Sep 2018 18:26:40.3175
 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: Original Submit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: Original Submit
X-MS-Exchange-Organization-Network-Message-Id: 4c3ad8ee-d096-46ac-24d8-08d6103875fc
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 3224fad9-4bcc-4d47-ae98-86ea3c6b3b13:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Forefront-Antispam-Report:
 CIP:209.85.216.197;IPV:NLI;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(8156002)(2980300002)(428003)(189003)(199004)(336012)(54896002)(1730700003)(7736002)(6306002)(7636002)(356003)(72206003)(3846002)(790700001)(6116002)(5250100002)(80792005)(6916009)(246002)(7116003)(5660300001)(2171002)(8676002)(34756004)(16003)(30436002)(7596002)(1096003)(59646003)(59536001)(59286002)(2160300002)(93516011)(108616005)(24736004)(2900100001)(95326003)(7696005)(84326002)(86362001)(2616005)(476003)(126002)(426003)(5640700003)(36756003)(1240700005)(26005)(102836004)(59656003)(106466001)(564344004)(260700001)(5000100001)(486006)(14454004)(2501003)(16586007)(2351001)(4546004)(105586002);DIR:INB;SFP:;SCL:1;SRVR:CO2PR07MB2584;H:mail-qt0-f197.google.com;FPR:;SPF:None;LANG:en;PTR:mail-qt0-f197.google.com;MX:1;A:1;
X-Microsoft-Exchange-Diagnostics: 1;BL2NAM02FT028;1:pjMXTT23xqPgAGCMtTl5SDLJfPieaDvgaivOlF9o9CLTz4IRfPB+NSbESVaKtf8uPwVYuNYfl5GjsDBlBpOIn6HjVZ+mcweaSuM2iRr5UmgFMQfZbpHhEXOtzN6/blrA
X-MS-Exchange-Organization-AuthSource:
 BL2NAM02FT028.eop-nam02.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4c3ad8ee-d096-46ac-24d8-08d6103875fc
X-Microsoft-Antispam:
 BCL:0;PCL:0;RULEID:(7020095)(4652040)(5600074)(711020)(4605076)(1401180)(71702078)(7193020);SRVR:CO2PR07MB2584;
X-Microsoft-Exchange-Diagnostics:
 1;CO2PR07MB2584;3:j1GlYG7k1nBb7P3isMMOG2nr+6sKVpZafwzKTGaKEsgPTRYuJNkOilzHHrXTcF9kyeVhl+HdVPkPESIqyPTRWJ5AiBA8+Aa2F2NEV8n4I/ARUSUgM/ttE1RJOMbTDESsux+iiW0V9ayH7QI8dZpyHQJxb+PBcb8pBO5xkKPkF8Dlyo+H3a3uswYwIiuXvAXH95ZZcsVr4bypInfeu8duDNDY93YkihiNGev2W9plrOnJWCPHjeFRQzbSi3mgUJ1xeF2X4rbVERy9qsvgaeLHoQ/G3424hwrQA2wWwqBnFhFN4u6zoe7bobGmgI8DzlxdIGg6E99+UpJr5/XcT7Mn6QxBANxyEjaRZB0cG9N9fAk=;25:DXTfl3wYYpJFVUTc2/11JlnIwQzHa87kTr67Vt+9M9MJnFwzGD2SL3Fs8afkQXUFvQ9q0tWBvBxsDnN/JxMWd5tlP3iOrz18XyRSbKSQejqSrpNTNnnw5MjphNcCq2FMZuy/8Y2awGPlUZAPu1XGgg52CcJdV0Of7qB1YaDjSpys7RUhCRmZGRfOunBmtDeDXUAW4+F5HMA/roXCKyUnJ80igo+tX7gMJOir2M+xxcEANiBzYN+tuJ6aRHRjQ5NLCLxvjZ4crlnUO5D0NwLO/9aV3J5rWxnNkdf38Tv6atddJ7LYBcqUJtueh29FRTZegFd+uosm3vddQEh7WNoaaw==
X-MS-TrafficTypeDiagnostic: CO2PR07MB2584:
X-Microsoft-Exchange-Diagnostics:
 1;CO2PR07MB2584;31:NxrF9JOy8aEPbnOmA3CH1rVvCa5BwR3AkrXq1hcvKSgtpWjsGmTFAEFVZroZXvTVBP9EqOmW+dyBJkKolliMCLIiE1M7EQ2zn8+RQDyDdoJCTS69VAN+wC3H7lROutj9UzZhtKhZG5yQIbYQZp9YQSDIBsPvOoW8roI97a34lB4RvvmOsPVcYCDVAtG7TNhVaRySJgkdyTI5fl1Pa3rTUsrzT9thUJaFyB+ypG2CCjM=;20:j/3+0WyDAztnnqQ0EPIQWZtBLT/97EVE0Xohfnw1BLuT4fNE5EycrvLB0JDWojFHkRpm4ceBiMoYjVqV8oeOjD2zFgJbvjIP3awqGzRMtQYV3zItIYkz4vd7WZXH3q0LfIew3FXS87IgO9u1DzPMDyuCAa0rCIQ9EAlxeU9ePHEHbZRpXNp0ixqvCJVjMO/B93HwYbaTa+a6AIDsyBHAsDpr0sMYk6ub8cqEVjngBXFoeolH2gPhzE1cvS00534BGcoySUu/q24VHy/ylX1U5gJdQW0JYZMsEii5Zui2AO+GCxlMNxyWkyAPve+JSpDfN8eKTl9viEhEz/2d62YSwLeM0h2gByh3nb8byMzt3eUd8esSwQOcrHfTidMdflMxZsaSIg9q8LwpX28lM17xHJ+ShQg5318AP4+IvbYn5NNAbE2CXVCit4SxPVl9H+gdsZ0f399Gc/3SsXES6rAi+PQ68K+EEWFBZjxPdLlAJWN+jtxgNRCT6jiMe4HBlF9O
X-Exchange-Antispam-Report-Test: UriScan:(28532068793085)(21748063052155);
X-Exchange-Antispam-Report-CFA-Test:
 =?us-ascii?Q?BCL:0;PCL:0;RULEID:(8021118)(8001254)(8003045)(8040027)(8004?=
 =?us-ascii?Q?108)(8007045)(2018062399030)(2018011200283)(2401047)(8121501?=
 =?us-ascii?Q?046)(52410047)(2018011210174)(2018011211064)(2018011212028)(?=
 =?us-ascii?Q?2018011213028)(2018011214028)(2018011215028)(2018011216028)(?=
 =?us-ascii?Q?2018011217028)(2018011218028)(2018011219092)(2018011220252)(?=
 =?us-ascii?Q?2018011221063)(2018011222027)(2018011223027)(2018011224027)(?=
 =?us-ascii?Q?2018011225035)(2018011229035)(2018011230256)(2018011231158)(?=
 =?us-ascii?Q?2018011232269)(2018011233052)(2018021202149)(98810176)(20180?=
 =?us-ascii?Q?21203149)(98815176)(1430482)(1431068)(1500222)(8020062)(8030?=
 =?us-ascii?Q?027)(8008073)(8028028)(8029027)(8041027)(8042027)(1437138)(1?=
 =?us-ascii?Q?551054)(823300264)(823350442)(823411253)(9101536074)(1020150?=
 =?us-ascii?Q?1046)(3002001)(3231311)(901025)(902075)(913088)(7045084)(944?=
 =?us-ascii?Q?500087)(944510158)(944921075)(946801078)(946901078)(93000001?=
 =?us-ascii?Q?66)(9301004277)(52103095)(52105095)(52106170)(52408095)(9882?=
 =?us-ascii?Q?1027)(98822027)(52401380)(52601095)(52505095)(52406095)(5230?=
 =?us-ascii?Q?5095)(52206095)(88860193)(1102011)(93006095)(93003095)(16100?=
 =?us-ascii?Q?01)(8301001075)(8301003183)(201708071742011)(7699016);SRVR:C?=
 =?us-ascii?Q?O2PR07MB2584;BCL:0;PCL:0;RULEID:;SRVR:CO2PR07MB2584;?=
X-Microsoft-Exchange-Diagnostics:
 1;CO2PR07MB2584;4:SCwevgCX1d6QFJwEVAkR2mmKezexbxpQGam/WpEAKOR//36pPspTmO0ctB9NhPBq030WQHt1ITBvJtF6lJ5hNIFJooOW4gyaRc0fMnQfQio9NBpjTliOO/5nbXfQRYibDXjLJmqoDQ66ixkouLy+TTJVQWAsyn/RLGdFee54zRn6hundcJcjAuUuly9VNdtKwZqc5Cv3t5CAiOMfrsYuLRzRbhPlOERtifOUqQA0VEOwKaQDrPfev0sHUDch1p+ix1EwJvqmMkLHcPV4MkS5qTmWu3j/I/s5F50DRlc6Tx7Uj3WfXVA88UUg+dDxjguEaF2i7ko+ujTsYI1/ec5YHx25FyXXvE0SbENpC1LQ2zw=
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Exchange-Diagnostics:
 =?us-ascii?Q?1;CO2PR07MB2584;23:dB05+FhjbkOr174yxbJXiNyWSRve8bl6/5kW66MKk?=
 =?us-ascii?Q?KeMN55mYkb7hgmSW7XyfCjvhZ2YcQUBSq2/3O1K2I9TGkVtHDVEmAigaB9pt?=
 =?us-ascii?Q?8sOkwFVy1s2609BTFcydMhdNRjsC0FojRh1P3AvqOdvZZLb/Xy1CW/bodMnb?=
 =?us-ascii?Q?pt5GxEuqIb0RHnHzQv0FTxf+HX3+tq+rU5H6wBIz3PmfXA9hyz5a7NwP81e+?=
 =?us-ascii?Q?8fB1K3Y0qGjdhtKeHWp6+LUtiwSoOUqOps/O3N2GoIU4+OoIHp+plTVwL2sg?=
 =?us-ascii?Q?xucKgoqEOiFXeFO5UsEhZ2z3m4THNNhnRCr18jfHwbNHthZ9A9SB78WLvzY0?=
 =?us-ascii?Q?aSNq9PUF0WJCTEbUak1UInLX4g40lGT8xFa9qyeVBTG+OO4mbpUnHeYq3kmD?=
 =?us-ascii?Q?MWPz5cnVwggnd40mL8YxMDzyqvFMbTvL1K0+E0TmvKN1cJwPjEsBdVM0XgEP?=
 =?us-ascii?Q?otzSHFkB3nnNrlHM+JyMRDa1PX2VkyZGev5Aai2Z+gyLu2N/1gvfsENnuL5g?=
 =?us-ascii?Q?rziYVco5sTBY3RJhO786wC/tY7C4Q8KQ/nsqs5/G4Vg6jtpPHUg0UdXJT+ze?=
 =?us-ascii?Q?X9RsQv/7Sb/d1RCEP9ceBOPm5GgFsmue362Wb/rqD25CFI9YnKNn2wGjEzOz?=
 =?us-ascii?Q?QSLtN3hRW6+ODmyO6g5qVkxINwN1P1I5VmiaZHrSFS7NZnWg0dg3ZvKt6SEk?=
 =?us-ascii?Q?elwoqeRL/Is+Tcj8kYk2Q1pUILz8D1Iqm6TqUTxUviIxAFJIi1OCjOSUz5DW?=
 =?us-ascii?Q?jUmZ3Woeq0pg4/ef1/j4iKsmoFpvSkKlW0/8mHu7HQzpH5hrK/h3YezY4Rdu?=
 =?us-ascii?Q?8MAdJmNF3sfrjvxJG2iTTcygLELJf+3MQ8+qUldbeRRW3tJuNq7YM48k0a4g?=
 =?us-ascii?Q?zfLuavrniQIY8c03qAVJ+I72mklxbB0oW2y5XHrRA1y4efNAi4xKQNYSb/PO?=
 =?us-ascii?Q?oHIgm2XjNdblEeQ3wOnqp+rKonnyoPaUK5yfMqkKxBH33iFmjsRX+nKy5MtX?=
 =?us-ascii?Q?F/VhCsfNLwTUFflGsGElyvIDfxczu5ZBbKfzI7I9I7dVxdd9eR2opIx7q6KO?=
 =?us-ascii?Q?gs1rwwvt8pfsaSkmhu6+Onm0I97JYsj3vlCMOjad4FfAnJhVXuZOP6WuoVU6?=
 =?us-ascii?Q?UyXkbk6iXrNzCsG5c5Y2TgotBMVeBfLqnJwENO+89hvCKpLaU0oYWLokKc11?=
 =?us-ascii?Q?mtwY+tcXoH0TrXArC3aNr6omMs7w227ZK2LjsJoaciZEziuB+lASkyKcCKuf?=
 =?us-ascii?Q?JiW7axzw4ibebYEo6rNangCg1EE6NfSEyExmQK4nhU7COZLaLTOmnu4o2f08?=
 =?us-ascii?Q?w8a24LDo4gri+ZgMJdY+cGfG1EXZQHRTdg5zDrX6ztkukP2MHsp0K9jru06I?=
 =?us-ascii?Q?xMD9AYybhh4jCkvCnPASskKAUW/XtNERGXeofK6Lfrh2anI?=
X-Microsoft-Exchange-Diagnostics:
 1;CO2PR07MB2584;6:MU76bu3MllmktgZeHVg/LOPnVEcc34hnPuF1wDcGQ62YS9NTuTFA5e5l2+wcWaFQb/qrTUggsm114Hf/sKeNHlfqoai8KCF/UUo6WCFrfCUxkh8LgcUqJh+hWVOX9X3xc/fYlfSNHCttVDUrUXoYulh4ZQURgzHwvS+56Bjj5gzaDcWZxCfo0uIrI4VYX9tqLxcqf5vsyVxkqKgZQFDWIt0bB9BKbNJzZVq/fVUipaK2tEDxoB+KWzPeL0+azYRskWaeyCXON9f1umaa3gXyyvkn54hTLuJlNYv+dG4qvI+u5z87y5WegXIwxc3NnFD9a81ZsNiPHpRCrn3uyYOqSLycg3Y3lctWjbeerg3UPuK/WXqUXIeuZSpDDfWx5NfOXF5Gxg+2jN3jw8oQqAZoQxYXMRNH54hlUMPqrRJhtOsYwBUd2OW/QrQ/ICtIXz9ckyYtVU/Ipr5eUw274yYJpA==;5:dX4lyFH3eUKyIlSQjOEZojJmNRejQt8a+RuoxCxhCTaoPBlQYNc1FK4WfzooudkqQeeYXl8XDDSopwEuS765CilxbHUTcbCmey/sWnnlqauxDeT8LWySlpmoDmpAcDwwxsIst8o8iyTdQ9JfuVPWyI99kBUbaoTMQefkgBriJ4w=;7:A/3QFqgqpURg7c1AQSHuV8c88N+SHeqsDPG6ggozk9/ZGVpXX+z+OlX4gxu6BlK5YJLokwxknp3gPNNHSXmeC1zIBm1qThBrDn9UO/4pbuvncTh0hNDLFFdJXK9/t8J895VVv2gnFtKw94UO31O9xXjarDP9WoQ4IlNA0B6L41LLbyGEyizdCoQTItMJgf77uXI0y4S4L1zTgeRzFtOh0Vbut3Ylj9B1CGpT+vOxzDS0KDT9m4KFq02PzrgVDvEU
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Sep 2018 18:26:39.9581
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4c3ad8ee-d096-46ac-24d8-08d6103875fc
X-MS-Exchange-CrossTenant-Id: 3224fad9-4bcc-4d47-ae98-86ea3c6b3b13
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR07MB2584
X-MS-Exchange-Transport-EndToEndLatency: 00:00:05.8439329
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1080.019
X-Microsoft-Exchange-Diagnostics:
	1;BN3PR07MB2577;9:6Y8/EO/+JzneX/2+idg3pIATkiDz763c/ogngQ2XAfOriz70UZbmRrBlpmedMFlHhiTfqlyUYhgC1/JxFZuu4lKis28j/gaCqSfv9MF7SSek82YUx9JzMP0YaPAR8ksQ
X-Microsoft-Antispam-Mailbox-Delivery:
	ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(20160514016)(750119)(520011016)(944506301)(944626516);
X-Microsoft-Antispam-Message-Info:
	JeHfpSsh24j4VsQTC+irEX5Z5rnHHITWMU3LtuuMYlpRmyBD6M2cyrWSKG1zDuNWce744EIslAbRxr7odOuQAwOufCnde54Sbbe+pzo9ROspiluHZ5Oz/dSsvF6NHoMmSHsb4WmgrApBLjY2jmTS7igU2dy5QaM6eT7X9Uay8h7QXI6bo9Lp1dCv3eG5vPRDmJi7k1KrLy5V8EQimvQv2vkCQajniCJzieyYVuWhktg9xN/B3fuscxH1RsBP8aRfmP0URs+JqK9o8o9QBikXee4rmE0ekYr/YM+JO4EARcy8f6g2m/kWRKFA1X/tJYj4dibTYh08N/bXab36y4zxiQ6z5ohQZpvf+U/f1T6v1Q5my5Z81A29jmNUjaRkFCvd1Cmh/xxmanNEUuVOPLQMgiG3h4xk7wcGovL2cdC18pyYVYuOKDtwrnHdgmjOsKbzUS0rzlYS40CQrC2YfXfeu5ZOHWL8ZJ1V6DCzx8wd9TgMdXs4zauq+7YBJersB4IbZmdX0zr2ZejBLGWxTcw8gdg72dNFRHNmf2zW5TQgbUJYnrqakR0fZITLQobe2DeUQOEPkVWV1dR+IN15Aaq3eBrfMd6dUbuAZDGhMfnuV145vPazJwR4h5zy3SAnX9hnX1LvRT26SOtkq6Mn5v2vkNx/I60l3Sl9VVZlxst3g1M0/ykuB4RZmp/YbK8w8QVZhFAPfmz2XF4YsvzywK33gVw6beFwGjeYbsrjAs45w6oLrLs01jdS/P5r2PH4DLRpTnqzNxdW70f86aD914gpVGX3YWb3U+fQLnc7HUbEze08+p9KBThtIMkXebNLJoSM58SqXOyfQMvvCXRMyLGlsg==
X-Microsoft-Exchange-Diagnostics:
	1;BN3PR07MB2577;27:bXjHGgYeSrCH6j06853NrAeHjM/Zv8+zoUfCmjSyUQf24avjwnXSgHZwBOjpmYnoOi3M71VQILDUpPeWVBOKtH3qKn2eEsoEeHscsKYGFe/527YQDqZgQ8Ke2hG10xFMDzJ0iUZ4yLLDH/pClfAYi47OwCaSAUnPDNzwLiNdItJGA+We8OakV81G7yfF/3EOrWW0m8FYLeC4GRdiIq7PeayZXn2u5Y5KGL5t3p8qsYxPWqRQaHwxexNZk3AaQRoBhbTZ46foOeR6mW4pDZpbfo2ReiQpMSSEqFFA156TOgGMwcThenEB9Jt9Zx5wP3SGlIkJMIe9FayazdEhPdGtlcUXP1qWQ2ophVdL2hvW+kH5RAWUwQrY/1OhbqBNuSFz2LMl7RnnI51C/hw5MTjr8A==

Select allOpen in new window

I sent email from my outlook 2013 client  internally to my work email address which we are on Office 365 cloud no on premise exchange there  and I use Outlook 2016 there

According to those headers, TLS 1.2 was used, so your exchange is setup to use TLS 1.2 as it should be. Review part 2 of that article in regards to schannel and see if that helps.

https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/

Tim

My registry entries look ok to me

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
Server
default
DisabledbyDefault  0
Enabled 1

The .net part is confusing      all listed just have default  with no value set.

see my attachment

Thoughts



Also i checked the headers on some incoming emails and they all are using TLS 1.2
event36874reg.PNG

If there are no set values it will get take the value from schannel and according to yours the SChannel is set to enable. So TLS is active on that server. You should see if you can find out what client app requested that connection if possible in or at least what cipher it was attempting to use. Disregard is there are no issues in your environment as a result or try to figure out what applications attempt to access your exchange server.

Tim

How am I suppose to find out which client is doing this?

if it's not in the event logs then I dont know. you will just need to know what applications are attempting to connect to your exchange server.

All users are using outlook 2013/2016 on windows 10
No older machines

All use IPhones androids iPads tablets

That's all my know

That error isn't from outlook, that looks to be maybe from a 3rd party app.

Tim

I am running ORF Fusion in both exchange servers

Spam filtering program

Thoughts

Just suspend that app and see if the errors go away, but also how often do you get that error? If its not often then its unlikely to be ORF Fusion since you would get the error more frequently, but also, I wouldn't run that app on exchange anyway. If that could be run on a separate server, that is would be recommended. If it can't be then understandable, but I would avoid running any 3rd party apps on Exchange.

Tim,

I am still getting the 36874 and only on NODE 1  it happens just once a day now.

Happened with ORF disabled not the culprit

ORF running now

Something is not setup right or this event is not being trigger properly

Any ideas

could be a false/positive and since you dont know which client is attempting to connect , then it's difficult to pin down. if it happens at the same time once a day then research inside your org to see if any admins have a process running that hits your exchange server. they may have updated and app that is now causing this or something. just have to talk to app owners.

Tim

It happens a random times of the day never the same time

gotcha. unfortunately if you feel you need to find this issue, you may need to do some footwork and find out what are all the apps attempting to connect to your exchange servers since the alert doesnt give any IP addresses or server names.

Tim
I found it

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Set Value to 0 stops the logging of this event.

Thanks for all your help