none
getting Schannel 36874 errors on my CAS/HT servers

    Question

  • See below.. everything seems to be working fine but we get these a couple of times a day at random times.

     

    Schannel 36888 - " The following fatal alert was generated: 40. The internal error state is 107."

     

    Schannel 36874 - " An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed."

    Tuesday, March 29, 2011 6:45 PM

Answers

  • To workaround this issue, we can set the event logging value to 0 under:

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

     

    Thanks,

    Simon

     


    This simply turns off the error reporting.  The events you are seeing are a result of an incompatible browser trying to open OWA or something along those lines.  I haven't quite figured out what the problem is yet but it has something to do with an SSL 3.0 request coming into the server but it doesn't know how to handle it.  Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols, I see SSL 2.0 but no SSL 3.0 listed.  Not sure if this is the problem but that's where I'm heading to troubleshoot.

    Just so you know, I'm trying to open OWA from my new Acer tablet using the stock browser...it just keeps prompting me to enter credentials then eventually my account gets locked out.


    Further investigation I found the following article.  I will restart afterhours and see if it fixes this.

    http://www.techieshelp.com/how-to-enable-ssl-3-0-server-2008-sbs-2008/

    • Marked as answer by Sam Booka Wednesday, May 25, 2011 5:57 PM
    Tuesday, May 24, 2011 6:43 PM
  • To workaround this issue, we can set the event logging value to 0 under:

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

     

    Thanks,

    Simon

     

    Monday, April 04, 2011 7:02 AM
    Moderator

All replies

  • Our servers are receiving the same errors and the registry key from the article was set to 1.
    Wednesday, March 30, 2011 3:10 PM
  • We are set to 1 as well.

    To disable this it should be set to 0?

     

    should we be concerned about this?

     

    Thanks

    Drew

    Wednesday, March 30, 2011 7:38 PM
  • are you using self signed cert or third party cer on your server?
    Wednesday, March 30, 2011 7:49 PM
  • 3rd party SAN cert.
    Wednesday, March 30, 2011 10:13 PM
  • You would see these errors if you have TMG server for reverse publishing and are doing HTTP inspection.

    Wednesday, March 30, 2011 11:00 PM
  • I dont think we are..

    We dont have a TMG server and I am not even sure what reverse publishing is :)

    Thursday, March 31, 2011 3:39 AM
  • To workaround this issue, we can set the event logging value to 0 under:

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

     

    Thanks,

    Simon

     

    Monday, April 04, 2011 7:02 AM
    Moderator
  • Simon_Wu,

     

    So what you're saying is that this error means nothing and that we should just disable the logging of said events?

    Monday, April 18, 2011 7:12 PM
  • If everything works properly and you do not want to see this error ID in Applocaiton log, you can workaround to disable it.

    Thanks,

    Simon


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, April 19, 2011 8:11 AM
    Moderator
  • To workaround this issue, we can set the event logging value to 0 under:

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

     

    Thanks,

    Simon

     


    This simply turns off the error reporting.  The events you are seeing are a result of an incompatible browser trying to open OWA or something along those lines.  I haven't quite figured out what the problem is yet but it has something to do with an SSL 3.0 request coming into the server but it doesn't know how to handle it.  Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols, I see SSL 2.0 but no SSL 3.0 listed.  Not sure if this is the problem but that's where I'm heading to troubleshoot.

    Just so you know, I'm trying to open OWA from my new Acer tablet using the stock browser...it just keeps prompting me to enter credentials then eventually my account gets locked out.


    Further investigation I found the following article.  I will restart afterhours and see if it fixes this.

    http://www.techieshelp.com/how-to-enable-ssl-3-0-server-2008-sbs-2008/

    • Marked as answer by Sam Booka Wednesday, May 25, 2011 5:57 PM
    Tuesday, May 24, 2011 6:43 PM
  • ^ I know I may be resurrecting the thread here but I wanted to make it a bit easier for anyone with similar problems...  The link above is right on the money, but there is a typo in the instructions and if not careful, may commit a change that isn't entirely desirable.

    Without further ado:

    START > RUN > NOTEPAD > OK

    Paste this exactly as it appears in the window:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
    "DisabledByDefault"=dword:00000001
    "Enabled"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
    "Enabled"=dword:00000000
    "DisabledByDefault"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
    "Enabled"=dword:00000001
    "DisabledByDefault"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
    "Enabled"=dword:00000001
    "DisabledByDefault"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
    "Enabled"=dword:00000001
    "DisabledByDefault"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
    "Enabled"=dword:00000001
    "DisabledByDefault"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]


    FILE > SAVE AS > SELECT YOUR DESTINATION (Desktop for ease) > In the file-name box, type exactly (quotes included):

    "SSLAdditions.reg"

    Shut down Exchange Services Gracefully.  Following the same fashion as above, start Notepad and paste:

    net stop msexchangeadtopology /y
    net stop msexchangefba /y
    net stop msftesql-exchange /y
    net stop msexchangeis /y
    net stop msexchangesa /y
    net stop iisadmin /y
    net stop w3svc /y
    shutdown -r /t 10

    Save this file to your desktop as well using the same procedure as the registry instructions above, but this time, name it (quotations included):

    "XCHGracefulShut.bat"

    After all services have gracefully shut down, the script will initiate the shutdown command and do so after 10 seconds of committing it to the shell.

    Cheers,

    bp


    • Edited by bp2000 Wednesday, April 02, 2014 5:06 PM Spellcheck
    • Proposed as answer by bp2000 Wednesday, April 02, 2014 5:08 PM
    Wednesday, April 02, 2014 5:04 PM
  • Brilliant! Thanks a ton. Have had this issue for a while, even from a spanking new DVD win 8.1 install to new SSD.

    Well written, and solves the issue, does not suppress reporting the problem as stated in other "answers"

    cdh357

    Saturday, April 19, 2014 8:34 PM
  • This issue still occurs on some 2008 R2/Exchange2010SP3 CAS server when connecting 'Outlook Anywhere' clients.

    OA using basic auth. Certificate is VeriSign/public trusted SAN cert.
    Symptoms on client include intermittent lost Outlook2010 connectivity, repeated outlook authentication prompts periodically.
    Symptoms on CAS server include two schannel errors every 3 seconds in event log. No client ip or usernames are identified in the event. 'An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed'

    Clients are w7Prosp1, Outlook 2010, all available automatic updates installed.
    No reverse proxies. No ISA, No TMG, No ARR.

    I have removed OA and reconfigured OA, no change.
    Since this is affecting client connectivity, we do not want to suppress the event.
    OWA is working fine, problem only affects OA.

    Monday, September 08, 2014 11:23 PM