none
Encountered an internal error in the SSL library RRS feed

  • Question

  • Hi,

    We need to harden our environment according CIS standards. After applying those policies I am encountering following issue:

    Unix/Linux agents managed by the interal Unix/Linux resource (Management Servers domain joined) pool turn grey with the WS-Management Certificate Health in critical state. Some return healthy after a while... to fail again after a while.

    When I resign the certificate through Discovery Wizard the agent turns healthy again... to return to a grey state again after a while.

    Error in Health Explorer below:

    ErrorMessage
    WSManFault The server certificate on the destination computer (flexprod1.mydomain.net:1270) has the following errors:      
    Encountered an internal error in the SSL library.

    While troubleshooting I found out that executing following results in an error

    winrm e http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_Agent?__cimnamespace=root/scx -r:https://flexprod1.mydomain.net:1270 -u:scomuser -p:pswd -auth:basic -encoding:utf-8

    WSManFault
    Message = The server certificate on the destination computer (flexprod1.mydomain.net:1270) has the following errors:
    Encountered an internal error in the SSL library.

    Error number:  -2147012721 0x80072F8F
    A security error occurred

    When I re-execute the command right afterwards... it succeeds! :-/ When I run the command 10 minutes afterwards, it fails again the first time it is executed.

    My guess the possibility it is related to above issue is likely. 

    I'm not having this issue on the gateway servers (not domain joined) where the policies are not applied.

    P.s. Unfortunately I installed security and critical updates a few hours before applying the gpo so it could well be related to that also.

    Before I try to revert the changes made by the gpo... can anyone verify if a setting in the gpo can cause this issue? Relevant part (I think) of the gpo below. Or does anyone know what this might be caused by or how to further troubleshoot this?

    Thanks!

    Microsoft network client: Digitally sign communications (always) Enabled

    Microsoft Network Server

    Policy Setting

    Microsoft network server: Digitally sign communications (always) Enabled

    Microsoft network server: Digitally sign communications (if client agrees) Enabled

    Network Access

    Policy Setting

    Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled

    Network Security

    Policy Setting

    Network security: LAN Manager authentication level Send NTLMv2 response only. Refuse LM & NTLM

    Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Enabled

    Require NTLMv2 session security Enabled

    Require 128-bit encryption Enabled

    Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Enabled

    Require NTLMv2 session security Enabled

    Require 128-bit encryption Enabled

    System Cryptography

    Policy Setting

    System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Enabled

    System Settings

    Policy Setting

    System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Enabled

    User Account Control

    Policy Setting

    User Account Control: Admin Approval Mode for the Built-in Administrator account Enabled

    User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Prompt for consent for non-Windows binaries

    User Account Control: Switch to the secure desktop when prompting for elevation Enabled

    Other

    Policy Setting

    Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Enabled

    Registry Values

    Policy Setting

    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod "0"

    MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode 1

    MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting 2

    MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting 2


    • Edited by BallieWallie Thursday, February 20, 2014 2:44 PM edit
    Thursday, February 20, 2014 2:41 PM

Answers

  • Hi Steve,

    Thanks for your reply.

    I've managed to pinpoint the issue to the following gpo setting:

    System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms

    Description: For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server (if applicable). If this setting is enabled, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider uses only the FIPS 140 approved cryptographic algorithms: 3DES and AES for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.

    Disabled the setting in a new gpo and everything returned to normal.

    Grts.

    Thursday, February 20, 2014 4:03 PM

All replies

  • What version of SCOM are you running and on what Windows OS? Is SCOM updated to the latest patches?

    It could be this issue --> http://operatingquadrant.com/2012/01/12/opsmgr-unixlinux-heartbeat-failures-after-applying-kb2585542/ but has since been fixed with newer versions of SCOM.

    Regards,

    -Steve


    Thursday, February 20, 2014 3:24 PM
    Moderator
  • Hi Steve,

    Thanks for your reply.

    I've managed to pinpoint the issue to the following gpo setting:

    System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms

    Description: For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server (if applicable). If this setting is enabled, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider uses only the FIPS 140 approved cryptographic algorithms: 3DES and AES for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.

    Disabled the setting in a new gpo and everything returned to normal.

    Grts.

    Thursday, February 20, 2014 4:03 PM
  • Especially in these days where SSL 2.x/3.x and also TLS 1.0 are being phased out there is a better solution:

    https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

    Deploy a value like 0x0a80 so for example I can now collect volume statistics using my Windows 2008 R2 server from my hardened (no < TLS 1.1, Elliptic Curve cert) 2012 R2 web server using PowerShell WinRM (Invoke-Command -UseSSL).

    Hope that helps any latecomer.

    Thursday, August 17, 2017 1:24 PM