DirectAccess Schannel event viewer errors at every user logon RRS feed

  • Question

  • Dear TechNet community,

    I recently setup DirectAccess on a Windows Server 2012 R2 machine.
    DirectAccess works fine, users are connecting via their Windows 8.1 clients up to DirectAccess, no problem.
    However, on the servers side, after every client connection, we get the following events:

    Event 36874, Schannel: AN TLS 1.2 connection request was received from a remote client application, but none of the cipher suits supported by the client application are supported by the server. The SSL connection request has failed.

    Followed by: 

    A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

    The client using non-supported Cipher suits according to the DirectAccess server could be the cause of these errors. We’re using a self signed DirectAccess certificate based on SHA-1. Our DirectAccess server is using TLS 1.2 for encryption of the connection. I’m not a Cipher Suite / TLS / Certificate expert. So I don’t know if this is the cause of the issue.. but I sure can imagine it could be.

    Some more background information:
    - I've setup DirectAccess using the "Remote Access Setup Wizard". Not the "Getting Started Wizard".
    - At the "Remote Access Server Setup" step, i've selected "Use a self-signed certificate created automatically by DirectAccess".
    So I've deployed DirectAccess via a self-signed SHA1 certificate, which via GPO gets deployed to the DirectAccess clients.
    - the NLS role is installed on the same server as DirectAccess itself.

    Any of you got any idea as to why above errors occur?

    Any help would be greatly appreaciated.



    Monday, March 5, 2018 8:09 AM

All replies

  • Anyone?
    Wednesday, March 7, 2018 7:28 AM
  • Have you done any cipher suite "hardening" on the DA server? For example, have you disabled TLS1.0? Many companies want to do that because the webserver scanning tools (like Qualys) flag TLS1.0 as being bad, which is generally true for a web server, but in the DirectAccess world it's not a bad thing. I recommend leaving TLS1.0 enabled on any DA server.

    Whether or not that has anything to do with your error messages, it sounds like you have a couple of things that should be adjusted in your DA environment before turning this into a production system. Setting up your DA server in a better-practices implementation may alleviate your error messages as well.

    First, self-signed certificates are never a good thing from a security perspective. I highly recommend using an SSL cert from a public CA on the DA server as your IP-HTTPS certificate.

    Second, you should slide your NLS role onto its own server. Co-hosting NLS on the DA server is a capability that was added to DA in order to make Proof-of-Concepts easier to setup, but was not intended to run that way long-term. If in the future you decide to do any advanced features with DA (like a load balanced array, something almost everyone does) - then you must move NLS off the DA server, onto its own server. It is much easier to do this now rather than later when you have a bunch of people relying on it. Co-hosting NLS also generally means you are using a second self-signed cert for the NLS website itself, and we always want to get away from self-signed certificates.

    Wednesday, March 7, 2018 2:05 PM
  • I have the same issue, using public CA. I am investigating "Computer Configuration, Administrative Templates, Network, SSL Configuration Settings" . The DA generated server policy seems to have set a specific set of ciphers which are outdated.

    • Edited by Tonksy1 Wednesday, July 25, 2018 6:49 PM
    Wednesday, July 25, 2018 12:25 PM
  • well its not broken anything but looking at Wireshark traffic and the Analyze | Expert Information looks better I think. Still got SSL errors but Performance looks better. Also i note Win 7 Max Read / Download speed is about 4mbits where as Win 10 will go fast as you like depending on load. 

    I have been using on the client to run the tests against various shares.

    Friday, July 27, 2018 11:09 AM