asked on
Help Tracking Down The Culprit Causing Schannel Errors in Windows Event Viewer Schannel Error 36874
I am setting up a new Windows Server 2019 machine with IIS & .NET applications. The Event Viewer is getting hammered with with Schannel Errors (36874):
An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.
I am accessing this via RDP, if that's helpful.
Here is my question:
How can I tell what Remote Client Application or Program (in the form of the Connection) is attempting to connect via TLS 1.0?
Is there a tool in SysInternals the might be helpful?
Thanks!
....
Requires some registry changes.. also some changes in group policy
ASKER
The RDP comment might be misleading - I can login fine and the Event Viewer errors are generated due to websites. Sometimes it's difficult to determine what to include and that not to include when writing these up.
To Andrew's point, I did determine via the Event Viewer that the User is S-1-5-18 (or NT Authority/System).
I've made several Registry Changes already, enabling and disabling TLS at various combinations based off the Server that I'm migrating from.
I'm accessing sites that are "hard-coded" to the HOSTS file, so I don't think it's an external application. Would that make a difference in tracking down why this is showing up in the Event Viewer?
Thanks for your guidance.
I would say your best bet here (if you can't identify the offending TLS 1.0 from the event logs, is to do a sniff port and use wireshark to identify the TLS 1.0 source application/device.