none
Error 36888 Schannel : The following fatal alert was generated: 10. The internal error state is 1203.

    Question

  • Hi ,

    We have Exchange 2010 SP2 with all roles installed in one windows 2008 R2 server.

    We have renewed our SSL Certificate for Exchnage beofore few days.

    And we got following error in event  Viewer.

    Error 36888 Schannel : The following fatal alert was generated: 10. The internal error state is 1203.

    - <System>
      <Provider Name="Schannel"
    Guid
    ="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
      <EventID>36888</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated
    SystemTime="2012-03-26T05:03:01.729897900Z" />
      <EventRecordID>177401</EventRecordID>
    <Correlation />
    <Execution ProcessID="504" ThreadID="8948" />
      <Channel>System</Channel>
    <Computer>myexchange.adserver.local</Computer>
    <Security UserID="S-1-5-18" />
      </System>
    - <EventData>
      <Data Name="AlertDesc">10</Data>
    <Data Name="ErrorState">1203</Data>
    </EventData>

     </Event>

    __________________________________________________________

    Pls help

    Thanks

    Prakash

    • Edited by p.th Monday, March 26, 2012 8:56 AM
    Monday, March 26, 2012 8:54 AM

Answers

  • This event is expected as the client is trying to use the wrong port or the wrong protocol to access the site

    So if a user tries to reach owa using http in stead of https, you would get this event (Unless you have configure forwarding from http to https on the server).

    Monday, March 26, 2012 7:01 PM
  • The key part is that you can ignore the error. I see these all the time.

    Monday, March 26, 2012 11:57 AM
    Moderator

All replies

  • The errors are coming from Windows Server 2008 R2 (IIS to be more particular).

    If a user tries to access a web site using HTTP but specifies an SSL port in the URL then this event is logged.

    This event is expected as the client is trying to use the wrong port or the wrong protocol to access the site

    The error 1203 indicates invalid ClientHello from the client.

    This is By design and you can ignore this warning.

    This question has been asked and answered several times in the last few weeks. A search would have answered your question quicker.

    To remove the errors you can use following article:

    http://support.microsoft.com/kb/260729

    Monday, March 26, 2012 9:26 AM
  • Hi Killerbe,

    Thanks for your reply. I have searched lot before posting into forum. and i know the error can be disabled.but we need to find its root cause.

    We are using Exchange since long time and never face this type of error.

    and this type of error started before a week.

    We have renewed our exchange SSL before few days.

    Is it related to exchange SSL ??

    Thanks

    Prakash




    • Edited by p.th Monday, March 26, 2012 11:29 AM
    Monday, March 26, 2012 11:28 AM
  • The key part is that you can ignore the error. I see these all the time.

    Monday, March 26, 2012 11:57 AM
    Moderator
  • This event is expected as the client is trying to use the wrong port or the wrong protocol to access the site

    So if a user tries to reach owa using http in stead of https, you would get this event (Unless you have configure forwarding from http to https on the server).

    Monday, March 26, 2012 7:01 PM
  • I have the same "message", but i don't have Exchange in my server 2008 R2.
    • Edited by Lucfig Tuesday, May 20, 2014 10:08 PM
    Tuesday, May 20, 2014 10:08 PM
  • That is because it is IIS that is causing the message.
    Tuesday, November 18, 2014 2:02 PM
  • Well no, that's not a fix. A fix would be finding out WHAT client is accessing incorrectly and fixing it so the error goes away.

    I'm getting almost the same error, but it's a 1207, not a 1203, but it just bugs me when people say "oh, that's expected behavior". Sorry, no, expected behavior is clients using the CORRECT PORT to access the CORRECT SERVER.

    Sure, an occasional error is no big deal, but we're getting 2-3 of these PER MINUTE. Something is broken, and ignoring this just floods valid errors out of the event log.


    == John ==

    Friday, January 30, 2015 10:55 PM
  • Ever find an answer John ?

    Jamie

    Wednesday, March 11, 2015 7:48 PM
  • Nope, never did - also, it should be noted I went by the error number on my forum search, but this is not on an exchange server, it's on a Server 2008R2 firewall server.

    You can understand why I might be a bit perturbed over unexplained security issues on a firewall ...

    It's driving me crazy. It's absolutely flooding the event log.


    == John ==

    Wednesday, March 11, 2015 8:59 PM
  • Well no, that's not a fix. A fix would be finding out WHAT client is accessing incorrectly and fixing it so the error goes away.

    I'm getting almost the same error, but it's a 1207, not a 1203, but it just bugs me when people say "oh, that's expected behavior". Sorry, no, expected behavior is clients using the CORRECT PORT to access the CORRECT SERVER.

    Sure, an occasional error is no big deal, but we're getting 2-3 of these PER MINUTE. Something is broken, and ignoring this just floods valid errors out of the event log.


    == John ==

    I totally agree on you with this and even microsoft agrees! "The following alert was generated: 10" (from eventID.net) means "unexpected_message" and according to the technect article How TLS/SSL Works that means "Received an inappropriate message This alert should never be observed in communication between proper implementations. This message is always fatal."

    Mark the last word "fatal"!!! 

    Would be nice to have an official way of troubleshooting this message and getting rid of it properly and not just silence/mute it.



    Thursday, April 02, 2015 12:55 PM
  • One thing I did find out is that you can get more verbose logging from schannel using the following registry settings:

    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel
    Value Name: EventLogging
    Value Type: REG_DWORD
    Value Data: 7

    After troubleshooting set it back to 1, because it fills the system eventlog in no time. 

    Thursday, April 02, 2015 1:13 PM
  • WHO is using an invalid port in the URL?  This has to be a machine process that is constructing the URL.  My users do not use a browser to get email, just an outlook client or Iphone/android app.  In addition the few that use OWA are factory workers clicking a link that does not specify a port.  They don't know a port number from a hole in the wall.

    I am with those who say ignoring the error is no solution.  It fills up the event log, and gives Microsoft something to blame a problem on when they see it.

    Monday, February 15, 2016 4:38 PM
  • This answer is incorrect and needs to be deleted. It is missing leading.

    If this were true, I could try to access my web site using the wrong protocol and generate tons of these errors. I can not do this. From my phone, my tablet, my laptop, my computer, another server, some else's laptop and computer, my dev PC, my server, or another server.

    Something else is causing the error, none of these machines could replicate the log entry.

    Monday, April 18, 2016 3:45 PM
  • I know this thread is a bit old. But thought a recent experience might be nice to add. for future reference :P 

    We had a strange outage on one of our serves after someone apparently used the gpedit to Check SSL Chipher Suite order ( gpedit.msc / Administrative Templates / Network / SSL Configuration settings / SSL Cipher suite Order ) 
    And manged to save a non working setup. This leaves a nice little timebomb that will activate on next boot. And in our case left our server unable to establish any type of secure channel (even RDP connections ). The solution then was to set this setting to "Not Configured" and reboot server. 

    We also had these: 

    event id 36874

    "An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed."


    Monday, May 30, 2016 6:58 AM