locked
Event ID 36888, Source: schannel

    Question

  • I have a Windows 2008 R2 Standard server, and I sometimes see the following error in the event logs when I'm checking the Administrative Events section.

    Log Name:      System
    Source:        Schannel
    Date:          2/10/2010 12:45:53 PM
    Event ID:      36888
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:      ComputerName.Domain.local
    Description:
    The following fatal alert was generated: 10. The internal error state is 10.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
        <EventID>36888</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2010-02-10T17:45:53.649819200Z" />
        <EventRecordID>2249</EventRecordID>
        <Correlation />
        <Execution ProcessID="600" ThreadID="1172" />
        <Channel>System</Channel>
        <Computer>ComputerName.Domain.local</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="AlertDesc">10</Data>
        <Data Name="ErrorState">10</Data>
      </EventData>
    </Event>

    I have not been able to figure out what this error is indicating.  Any help is appreciated.
    Wednesday, February 10, 2010 8:13 PM

Answers

  • Hi,

    Thanks for the post.

    As is shown in the Event log, this error is related with ProcessID="600" ThreadID="1172". As the current PID may not be the same as the PID was when the error happened. If we can reproduce this issue, please check the PID shown in the Event error 36888 at that time and then track down to the relevant process in Task Manager.

    Now please temporarily disable the firewall and relevant security program  to check if this issue will occur.

    And please check if this event error will be received in Clean Boot Mode.

    Clean Boot
    =============
    Let's disable all startup items and third party services when booting. This method will help us determine if this issue is caused by a loading program or service. Please perform the following steps:
    1. Click "Start", go to "Run", and type "msconfig" (without the quotation marks) in the open box to start the System Configuration Utility.
    2. Click the "Services" tab, check the "Hide All Microsoft Services" box and click "Disable All" (if it is not gray).
    3. Click the "Startup" tab, click "Disable All" and click "OK".
    4. Click "OK" to restart your computer to Selective Startup environment.
    5. When the "System Configuration Utility" window appears, please check the "Don't show this message or launch the System Configuration Utility when Windows starts" box and click OK.
    6. Check whether or not the issue still appears in this environment.
    Note: Temporarily disabling the Startup Group only prevents the startup programs from loading at startup. This shouldn't affect the system or other programs. We may still manually run these programs later.

    Hope this helps.

    Miles
    Friday, February 12, 2010 9:12 AM
    Moderator

All replies

  • Hi,

    Thanks for the post.

    As is shown in the Event log, this error is related with ProcessID="600" ThreadID="1172". As the current PID may not be the same as the PID was when the error happened. If we can reproduce this issue, please check the PID shown in the Event error 36888 at that time and then track down to the relevant process in Task Manager.

    Now please temporarily disable the firewall and relevant security program  to check if this issue will occur.

    And please check if this event error will be received in Clean Boot Mode.

    Clean Boot
    =============
    Let's disable all startup items and third party services when booting. This method will help us determine if this issue is caused by a loading program or service. Please perform the following steps:
    1. Click "Start", go to "Run", and type "msconfig" (without the quotation marks) in the open box to start the System Configuration Utility.
    2. Click the "Services" tab, check the "Hide All Microsoft Services" box and click "Disable All" (if it is not gray).
    3. Click the "Startup" tab, click "Disable All" and click "OK".
    4. Click "OK" to restart your computer to Selective Startup environment.
    5. When the "System Configuration Utility" window appears, please check the "Don't show this message or launch the System Configuration Utility when Windows starts" box and click OK.
    6. Check whether or not the issue still appears in this environment.
    Note: Temporarily disabling the Startup Group only prevents the startup programs from loading at startup. This shouldn't affect the system or other programs. We may still manually run these programs later.

    Hope this helps.

    Miles
    Friday, February 12, 2010 9:12 AM
    Moderator
  • Miles,

    Thanks for the response.  I checked the Process ID in Task Manager, which came back as LSASS.EXE (Local Security Autority Process).  The schannel error above happened again this morning.  I've noticed that every time I see this error it comes after a Winlogon event:

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

    - <System>
      <Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" />
      <EventID>7001</EventID>
      <Version>0</Version>
      <Level>4</Level>
      <Task>1101</Task>
      <Opcode>0</Opcode>
      <Keywords>0x2000000000000000</Keywords>
      <TimeCreated SystemTime="2010-02-17T13:28:33.419305900Z" />
      <EventRecordID>2690</EventRecordID>
      <Correlation />
      <Execution ProcessID="4124" ThreadID="5032" />
      <Channel>System</Channel>
      <Computer>ComputerName.Domain.local</Computer>
      <Security UserID="S-1-5-18" />
      </System>
    - <EventData>
      <Data Name="TSId">2</Data>
      <Data Name="UserSid">S-1-5-21-775469750-2292832301-732804894-500</Data>
      </EventData>
      </Event>

    I have not done the clean boot yet as this is a file server, so I have not had the opportunity to configure and reboot the server.

    Thanks,
    Mike

    Wednesday, February 17, 2010 5:58 PM
  • I see the same error. Also related to lsass.exe process.
    Not sure it`s coming up when i log on the server but it`s possible.
    It's an Exchange 2010 server running on Windows 2008 R2.
    Any help would be welcome.

    Log Name:      System
    Source:        Schannel
    Date:          08/03/2010 9:39:08 AM
    Event ID:      36888
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:      SX2.domain.com
    Description:
    The following fatal alert was generated: 10. The internal error state is 1203.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
        <EventID>36888</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2010-03-08T14:39:08.447243300Z" />
        <EventRecordID>2500</EventRecordID>
        <Correlation />
        <Execution ProcessID="468" ThreadID="7620" />
        <Channel>System</Channel>
        <Computer>SX2.domain.com</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="AlertDesc">10</Data>
        <Data Name="ErrorState">1203</Data>
      </EventData>
    </Event>
    Monday, March 08, 2010 3:58 PM
  • Hi, I have the same error (Schannel - 36888 - The following fatal alert was generated: 10. The internal error state is 1203. - lsass.exe process) on server 2008 r2 with sharepoint 2007 sp2 installation.
    I thing this occurs when connecting through Outlook 2003 SP3 (windows XP SP3 client), where I have sharepoint's calendar added. There is a problem when synchronizing content: 'The Windows SharePoint Services folder could not be found. If the problem continues, contact the Windows SharePoint Services site administrator.'

    Lukas

    Wednesday, March 24, 2010 12:48 PM
  • We have the same issue on 3 exchange servers.
    And the same 1203 error.
    We do not have sharepoint installed on any servers in this domain ...

    Sunday, March 28, 2010 1:09 AM
  •  

    We have similar issue on Exchange 2010 and windows 2008

    Description:

    The following fatal alert was generated: 10. The internal error state is 1203.

    Mine also relates to lsass.exe and I think that when it occurs it knocks out outlook web access on the internet although owa seems fine on the internal network. Restarting the owa website restores access to owa.

    Monday, March 29, 2010 12:43 PM
  • We have the same issue here with Exchange 2010 and a Server 2008 R2 setup:

    "The following fatal alert was generated: 10. The internal error state is 1203."

    It also belongs to lsass.exe. It seems that the error always come up when a user is synchronizing public folders in outlook or access OWA. Both (public folders and owa) works fine for the users.

    Daniel

    Tuesday, March 30, 2010 6:59 AM
  • Have now ascertained that it does not knock out the owa - this was being caused by something else entirely.

     

    However would like to resolve the Schannel errors.

    Tuesday, March 30, 2010 12:42 PM
  • same thing with TMG2010 server on 2008 R2

    system spamming me with those errors.

    Wednesday, April 07, 2010 12:54 PM
  • I had the same schannel 36888 1203 error on my OCS 2007 server (2008 R2) after performing Windows Update on my DC (2008 R2).  It turned out that the Log On As service accounts (AD accounts) that OCS used were expired after the DC update.  I simply reset the passwords for the service accounts that the OCS server used and the schannel errors went away.  Hope that points some of you guys in the right direction.
    • Proposed as answer by feelgood13x Wednesday, April 14, 2010 6:29 PM
    Wednesday, April 14, 2010 6:26 PM
  • I've got the same error and I suggest to unmark Miles Zhang answer, because it's an unresolved issue which prove dozens of posts not only on Technet forums.
    I see tens of these errors per a day between the Hyper-V host (non-domain member) and his TMG guest (domain member) connected by Internal only network. So I guess it’s not HW issue and (maybe!) not account related. It's always on LSASS process and because I've got other unresolved issues exactly between these two servers (http://social.technet.microsoft.com/Forums/en-US/winserverhyperv/thread/82c9371a-eab9-4526-ba34-81d1f3bdc141, http://social.technet.microsoft.com/Forums/en-US/ForefrontedgeIA/thread/662b94d0-9fa1-4f85-aba1-84c42c105386), I'm getting suspicious it’s somehow connected.

    But how to find out? Any ideas?

    Have a nice,
    Dawid

    Monday, April 26, 2010 2:03 AM
  • On my TMG box with FPE and Exchange 2010, this message was generated.  It is caused by the HTTPS inspection feature being enabled.  The only way I was able to get it to cease was to disable HTTPS inspection.
    Thursday, June 17, 2010 6:21 PM