none
SChannel Errors with Outlook 2013 when May 2015 Critical Updates performed. Channel Error is 808 and seems undocumented.

    Question

  • Can anyone help. I updated the May Critical updates on 15th May 2015 and then Outlook Stops, and in the Event Viewer for SChannel I get the following

    A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 808.

    I've no idea what 808 is, but the 40 is a handshake error.

    Now if I go back to my restorepoint prior to the updates it all works again, until the system does the updates again (all 15 of them). It appears to be something in the updates, but cannot find other people complaining about this. It's also a bit disappointing that the error state of 808 seems to be undocumented.

    Can anyone help?

    I have since diagnosed which Patch it is with the problem. It's KB3061518 (MS15-55). Doesn't help much since bing/google aren't telling me about reports of problems with it (apart from a CAD package) running Outlook email workload.



    • Edited by Marked10 Wednesday, May 20, 2015 6:30 PM
    Wednesday, May 20, 2015 4:56 PM

Answers

  • Hi,

    After you install this security update, the minimum allowed DHE key length on client computers is changed to 1,024 bits by default, instead of the previous minimum allowed key length of 512 bits.

    Please check if the issue can be resolved after revert to using a 512-bit key length.

    To edit this registry entry, follow these steps:

    1. Click Start, click Run, type regedit in the Open box, and then click OK.

    2. Locate and then click the following subkey in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman

    3. On the Edit menu, point to New, and then click DWORD Value.

    4. Type ClientMinKeyBitLength for the name of the DWORD, and then press Enter.

    5. Right-click ClientMinKeyBitLength, and then click Modify.

    6. In the Value data box, type 00000200, and then click OK.

    Exit Registry Editor, and then restart the computer.

    Can we fix this issue?


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Marked10 Thursday, May 21, 2015 9:20 PM
    Thursday, May 21, 2015 2:07 AM
    Owner

All replies

  • Hi,

    After you install this security update, the minimum allowed DHE key length on client computers is changed to 1,024 bits by default, instead of the previous minimum allowed key length of 512 bits.

    Please check if the issue can be resolved after revert to using a 512-bit key length.

    To edit this registry entry, follow these steps:

    1. Click Start, click Run, type regedit in the Open box, and then click OK.

    2. Locate and then click the following subkey in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman

    3. On the Edit menu, point to New, and then click DWORD Value.

    4. Type ClientMinKeyBitLength for the name of the DWORD, and then press Enter.

    5. Right-click ClientMinKeyBitLength, and then click Modify.

    6. In the Value data box, type 00000200, and then click OK.

    Exit Registry Editor, and then restart the computer.

    Can we fix this issue?


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Marked10 Thursday, May 21, 2015 9:20 PM
    Thursday, May 21, 2015 2:07 AM
    Owner
  • Hi Kate,

    Thank You for this answer. It worked completely on my install. The only difference to your commentary was I also had to add the Diffie-Hellman key.

    So I will let me email provider know, in order they can think about updating their server to 1024bit.

    Many thanks for your prompt response

    Friday, May 22, 2015 8:01 PM
  • Hi Kate,

    Thank you VERY MUCH for your answer... I was struggling for several weeks until I found your answer... that worked also in my case even I was skeptical on your solution.

    The strange thing was the fact I have 2 accounts on the same domain and on the same provider, both of them using IMAP over SSL. Just one of the account "died" suddenly on receiving messages but I did not realize the error retrieving message because I'm using 2 PC's and only on one using Windows 8.1 ceased working while on the same version of Outlook 2013 but on Windows 7 was working perfectly.

    Even without restarting PC, immediately after adding the "Diffie-Hellman" subkey as you instructed, my Outlook 2013 started receiving messages, but still cannot undestand why the other account on the same outlook profile was working and just one of them was "dead".

    Anyway - THANK YOU again! :)



    • Edited by Lucian C Saturday, August 15, 2015 1:01 PM corrected some typos
    Saturday, August 15, 2015 1:00 PM
  • Grate solution Kate. THANK YOU very much.

    Now, communications between servers implicated are working fine.

    Manuel

    Thursday, November 19, 2015 10:04 AM