none
Event ID: 36888 Event Source: Schannel 10/10

    Dotaz

  • I'm about to end my pursuit in identifying the cause of this alert. This thread is the most helpful thing I've found in relation to the event ID I'm seeing...

    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/eca5e2cb-28b2-4170-944b-c4c3ea7c8d72

    Here is a copy of the alert:

    Log Name:      System
    Source:        Schannel
    Date:          27/02/2012 09:20:49
    Event ID:      36888
    Task Category: None
    Level:         Error
    Keywords:      
    User:          SYSTEM
    Computer:      ViMM.benendensch.local
    Description:
    The following fatal alert was generated: 10. The internal error state is 10.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
        <EventID>36888</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2012-02-27T09:20:49.202944200Z" />
        <EventRecordID>153987</EventRecordID>
        <Correlation />
        <Execution ProcessID="572" ThreadID="620" />
        <Channel>System</Channel>
        <Computer>ViMM.benendensch.local</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="AlertDesc">10</Data>
        <Data Name="ErrorState">10</Data>
      </EventData>
    </Event>

    As in the the thread this is a 2008 R2 server. It is also a Hyper-V VM, hosting SCVMM and SCOM. As well as the Default website it also has a webiste for SCVMM and SCOM but I can't see any issues with any of these.

    The alerts occurs every half an hour on the dot, so to me this looks more like a SCOM monitor or task. But who knows! I could follow the advice of the above thread and disable the logging, but I'd prefer to find the problem instead.

    Any ideas greatly received.

    Cheers,

    Andrew

    27. února 2012 9:47

Odpovědi

  • Quick update.

    Although Bourbita's post helped in terms identifying the meaning of the alert, unfortunately in my case the resolutions didn't apply.

    I ran a Wireshark trace, and found errors that were to do with accessing our SharePoint server, which occurred at the same time of the alert. This confirmed to me that this was looking more likely to be an issue with SCOM. Disabling services for SCOM and SCVMM also showed that alerts did not occur if SCOMs services were disabled.

    I then removed the server agent from SCOM for the SharePoint server, and this proved the alert is related SCOM's interaction with this server. This may be due to a number of reasons, not least that it lives on another domain. This means I have the option of looking at any issues there might be in contacting the server, possibly run-as accounts, or turn off Schannel logging now that I know what's causing the alerts.

    As this appears to have become a SCOM issue there's probably not much more to add here. Thanks to Bourbita for your reply.

    In this instance Wireshark was the key to identifying what was triggering this alert.

    Regards,

    Andrew

    27. února 2012 14:13

Všechny reakce

  • HI,

    Try to see the solutions in this link:

    Event ID: 36888 Source: Schannel


    Best regards
    Bourbita Thameur
    Microsoft Certified Technology Specialist: Windows Server 2008 R2,Server Virtualizaton


    27. února 2012 10:00
  • Great Thanks,

    That certainly gives me a little more to go on. I had already uninstalled Kaspersky hoping it would resolve it, but like in the article that seems to be more for the 1203 alert.

    I'll take a look at the TLS options under IE, but that doesn't seem to fit in this particular environment.

    27. února 2012 11:29
  • Quick update.

    Although Bourbita's post helped in terms identifying the meaning of the alert, unfortunately in my case the resolutions didn't apply.

    I ran a Wireshark trace, and found errors that were to do with accessing our SharePoint server, which occurred at the same time of the alert. This confirmed to me that this was looking more likely to be an issue with SCOM. Disabling services for SCOM and SCVMM also showed that alerts did not occur if SCOMs services were disabled.

    I then removed the server agent from SCOM for the SharePoint server, and this proved the alert is related SCOM's interaction with this server. This may be due to a number of reasons, not least that it lives on another domain. This means I have the option of looking at any issues there might be in contacting the server, possibly run-as accounts, or turn off Schannel logging now that I know what's causing the alerts.

    As this appears to have become a SCOM issue there's probably not much more to add here. Thanks to Bourbita for your reply.

    In this instance Wireshark was the key to identifying what was triggering this alert.

    Regards,

    Andrew

    27. února 2012 14:13
  • Signing into Lync connected to Office 365 causes the issue.  I reproduced the problem several times by exiting and then starting and by signing out and signing into Lync Online. The Process ID indicates LSASS.EXE but the problem is caused by Lync.

    Log Name:      System
    Source:        Schannel
    Date:          11/3/2012 2:48:34 PM
    Event ID:      36888
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:      Mitch-PC
    Description:
    A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.
    Event Xml:
    < Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
        <EventID>36888</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2012-11-03T20:48:34.424489500Z" />
        <EventRecordID>52839</EventRecordID>
        <Correlation />
        <Execution ProcessID="716" ThreadID="7500" />
        <Channel>System</Channel>
        <Computer>Mitch-PC</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="AlertDesc">10</Data>
        <Data Name="ErrorState">10</Data>
      </EventData>
    < /Event>

    3. listopadu 2012 20:53