none
Schannel error, Event ID 36888? - IS there a way to Identify what causes Schannel to log error?

Answers

  • The reference above isn't specifically clear on what you will be changing. The value is EventLogging

    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel
    Value Name: EventLogging
    Value Type: REG_DWORD
    Value Data: 7

    The default is one, which makes Schannel a bit chatty to start with. If you can tie the event to a specific site you are connecting to, we would want to make sure that the certificate on that site was appropriate for the site.

    The error 1203 indicates invalid ClientHello from the client - enabling more verbose logging may reveal which server it is responding this way and provide additional information. Reviewing other cases indicated multiple certificates for Server authentication on the web server generating this response on the client.

    Wednesday, June 23, 2010 9:27 PM
    Moderator

All replies

  • Hi,

    Regarding Schannel, it’s one of the Security Support Providers. The Windows operating system implements the TLS/SSL protocols as a Security Support Provider SSP, a dynamic-link library (DLL) called Schannel that is supplied with the operating system. You may refer to the "Schannel SSP Architecture" section of the article below:
    http://technet.microsoft.com/en-us/library/cc783349%28WS.10%29.aspx

    As far as I know, these errors are common and not serious, it is simply a Security feature of Windows Server 2008 R2 that any negotiation or problem of unexpected messages for secure channel can be recorded. The Schannel level of logging can be configured as described in:

    NPS: SCHANNEL
    http://technet.microsoft.com/en-us/library/dd197492%28WS.10%29.aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, June 23, 2010 9:56 AM
    Moderator
  • The reference above isn't specifically clear on what you will be changing. The value is EventLogging

    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel
    Value Name: EventLogging
    Value Type: REG_DWORD
    Value Data: 7

    The default is one, which makes Schannel a bit chatty to start with. If you can tie the event to a specific site you are connecting to, we would want to make sure that the certificate on that site was appropriate for the site.

    The error 1203 indicates invalid ClientHello from the client - enabling more verbose logging may reveal which server it is responding this way and provide additional information. Reviewing other cases indicated multiple certificates for Server authentication on the web server generating this response on the client.

    Wednesday, June 23, 2010 9:27 PM
    Moderator
  • I am getting this error while i play Battlefield Bad Company 2.    it crashes the game and returns me to the desktop.

    anyone have any ideas why?

     

    Log Name:      System
    Source:        Schannel
    Date:          7/14/2010 1:24:27 PM
    Event ID:      36888
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:     ------------------
    Description:
    The following fatal alert was generated: 10. The internal error state is 10.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
        <EventID>36888</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2010-07-14T20:24:27.917317100Z" />
        <EventRecordID>78716</EventRecordID>
        <Correlation />
        <Execution ProcessID="596" ThreadID="1080" />
        <Channel>System</Channel>
        <Computer>DANGYOUFAST</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="AlertDesc">10</Data>
        <Data Name="ErrorState">10</Data>
      </EventData>
    </Event>

    Wednesday, July 14, 2010 9:03 PM
  • Hello GueroLoco,

    this forum is related to Active Directory questions and not for games or client OS. Please use the Microsoft Answers forum for your OS:

    http://answers.microsoft.com/en-us/default.aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, July 15, 2010 6:48 AM
  • Hi Patfi_msft,

     

    You mentioned in response to the message above that the internal state error 1203 indicates an invalid ClientHello form the client.  Where did you find that out?

    I am currently getting the following error alert: "Event 36888, Schannel - The following fatal alert was generated: 53.  The internal state error is 900"

    I know that the fatal error 51 means that there was a decryption error under TLS, but I cannot figure out what the internal state error 900 means.  I have searched the internet but I am not having any luck.  If you could point me in the right direction I would be appreciative.

     

    Thanks in advance!

    • Proposed as answer by 10toes Thursday, October 16, 2014 4:35 PM
    Friday, June 24, 2011 4:44 PM
  • Hi,

    We  also getting the same error Event 36888, Schannel,  this error started when we configured the HTTPS (OWA Loadbalancing). I know that this is obviously SSL/TLS related, Then we have Removed the Real Server IPs ( Exchange Server IPs where we configured in the policy).  then its stopped the error. 

    Thank and Regards,

    Ravikumar.

    Saturday, July 14, 2012 6:48 AM
  • Thanks, this worked for me!
    Wednesday, August 1, 2012 1:29 PM
  • Hi Ravikumar, I'm experiencing exactly the same issue you describe, but I am unsure what you mean by your solution. Can you clarify please?
    Thursday, November 29, 2012 9:40 AM
  • i have changed the registrykey from 1 to 7.

    Should there any services be restarted for this?

    Friday, February 22, 2013 4:03 PM
  • Anybody?

    Still the event here...

    Monday, February 25, 2013 1:16 PM
  • Perhaps you can elaborate, WHAT worked for you?

    Thanks, Charlie

    Wednesday, May 8, 2013 5:07 PM
  • This should clarify the solution way above.

    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel
    You see the second item in the list is the Value Name: "EventLogging"  To the right of that it says the type "REG_DWORD" with the default value 0x00000001 (1)

    Doubleclick on that second item to get the pop-up screen that you can change.  In the bottom field, the default value is 1, from that string of zeroes with the one at the end.  Type over that 1 and put in a 7.  After you save it (<ok>), the numeric string shows   0x00000007 (7).

    • Proposed as answer by ccurts Wednesday, May 22, 2013 9:18 AM
    Wednesday, May 22, 2013 9:17 AM
  • We are seeing the very same errors on several Web Servers.  Where it looks like many of y ou are looking at outbound connections, we are troubleshooting inbound.  I have tried dialing the logging up to 3 and 7 and I am not getting any more detail in the event logs.  Granted, the connections that we are testing are Telnet on 443, which throws errors.  When we make simple https calls to known pages we get no errors.  We are not sure what calls are coming in from the Internet that are making this angry, so it is proving difficult to properly replicate the errors with web calls.

    Any suggestions or thoughts?

    • Proposed as answer by Mean_Dean0 Thursday, March 16, 2017 9:09 PM
    Friday, October 11, 2013 1:57 PM
  • This is due to a certificate problem. The certificate has a low security level.

    1] Check first your site using the following link to see if the certificate is OK or you need to create a new one.

    https://www.networking4all.com/nl/helpdesk/tools/site+check/

    2] download and Use "the keyStore Explorer 4.1.1"  to verify the ssl certificate file.

    Regards,

    Azzim


    • Edited by azzim Tuesday, December 17, 2013 12:45 PM
    Tuesday, December 17, 2013 12:29 PM
  • What does Schannel Event Logging option 7 do?  I saw there is a knowledge base article on How to enable Schannel event logging in IIS (KB260729), but it only shows up to 4 levels.  I looked through the tech library and it was hard for me to find any additional data on the logging settings except for these articles, Network Policy Server (NPS) Registry Entries - Schannel and Network Policy Server (NPS) Events and Event Viewer, which only show 3 levels.

    Value

    Description

    0x0000

    Do not log

    0x0001

    Log error messages

    0x0002

    Log warnings

    0x0004

    Log informational and success events

     

    From what I gather from other TechNet questions is that Event ID 36888 is usually insignificant and is basically caused by trying to access a secure website in an unsecure manner (Error 36888 Schannel). However there is not much information on all of the different error codes.  The tech library does list some of the Event Viewer Schannel Event IDs (although does not list 36888) in this article, TLS/SSL Tools and Settings. However it does not list what the types of fatal error alerts (AlertDesc) or internal error states (ErrorState) are that are listed in the Event Viewer logs.

    I am getting the Schannel 36888 Error that says "The following fatal alert was generated: 10. The internal error state is 10."  I know that others might say that this error is insignificant, however it would be helpful to know what is actually going on.

    Occasionally I will find my system locked up and I will have to hard reset.  Since I have no idea what caused the lockup, I am going through the Event Viewer logs, and low and behold, there are a bunch of Schannel errors.  I would like to find out more information about these errors.  I suspect that I am having some sort of hard disk issue that is causing my system to hang, although that will require much more investigation, and probably a topic for a separate discussion.  If anyone could help shed some more light on these Schannel errors I would appreciate it.  Thanks.
    Friday, March 28, 2014 3:13 PM
  • Never mind I think that I figured out what option 7 does after re-reading the article.  The options are specified by adding them together.  For example:

    1+2=3 (Log error messages(1) + Log warnings(2)) =3

    2+4=6 (Log warnings(2) + Log informational and success events(4)) = 6

    1+2+4=7 (Log error messages(1) + Log warnings(2) + Log informational and success events(4)) = 7

    Saturday, March 29, 2014 7:09 AM
  • ok everyone... are you ready for the what is what.... this error .. SChannel... secure  channel.. SSL/TLS.. your have some thing,, most likely in your set up for the mail server..  you Have it programed to where  it is to go through a secure tunnel and be received in on a secure line..

    NOW trying to get it to match with whose side on the receiving is what you need to find out but if you are keeping logs and your SENT box.  match the error time to approx. sent time..

    I my case,, it is will my email carrier and the ports are also different if I send from there line verses if I say send from my Blackberry... Hope this helps you all.. and sorry ... I am not an tech ,, I am not in IT.. I just got  lucky as I have been fighting with my connection email and internet for months  and since I just had to re-do my internet .. and decided to check my event viewer to see how many of the errors from the last weeks  I have finally fixed.. THIS SURPRISE was a new one.. I can looking for the error code and when I seen this post and the SSL .. I was SO THANKFUL TO YOU ALL ... so I do not normally post.. but here it your answer... and for the 1 + 2 = 3 right now that sound GREAT even if it is WRONG.. lol I know this is not funny but wow what I have gone through for 6 months and still going through this was the best and fastest I ever found an answer..

    IF you provider is switching up data lines.. if you recently had to upgrade to a newer modem  or server..also KNOW this .. you will have to manually go in and over ride your channel to where you do not hit a conflict there to... the channels will jump and  you will experience .. and LONG drag that will end up timing you out.. which will stop a program the wrong way ...which will trip of another program and  on and on and on and you will crash.. and do over and over and you will sit down and cry just like I .. and some will say it is not that big of a deal (because they do not know where to look) but trust me.. it drag.. trip.. shuffle.. you know is stirring down in the bowels of your hard drive  just wait ing to spit up like a new born baby...;)  Good Luck to all and IF anyone has or know something different PLEASE PLEASE let me know.. I know I am far from through on this ..

     


    MsRobie

    Wednesday, March 4, 2015 10:30 PM
  • MsRobie,

    I think what you have added here is along the lines of what I am seeing on my network, PC's in the office are randomly being booted from the network during this the PC its self freezes untill the network cable is removed. 

    I have 280 occurrences in my latest report,

    Can you go in to more detail on what you did to stop this error from happing ? 

    You mentioned going in and manually override  the channels? 

    Also to everyone else on this post can you tell me if my issues are related, Schannel 36888 error 1203 is only just started to show along side the crashing systems. 

    All pc's are Windows 7 PRO 64bit 

    Server is SBS2011 , running exchange, forefront  and share point 

    Any help welcome 

    Thanks 

    Brian 

    Friday, March 6, 2015 12:56 PM
  • I am getting this error on a Windows Server 2012 R2 without any mail client installed, so I am guessing that your suspected apps are not the cause.
    Friday, May 29, 2015 2:11 PM
  • i had the same problem and in my case, the audit GPO's were causing the problem. After un-linking and  editing the problem was solved.

    did not find anything on internet similar to my answer and i lost two days debugging.

    but at the end worked like charm

    Wednesday, April 6, 2016 3:01 PM
  • My server is a standalone, so no GPO.
    Monday, April 18, 2016 4:03 PM
  • I realize this is an old thread, but I can't seem to find any solutions to my problem. Getting the same error Event ID: 36888, however the Windows SChannel error state is 10. Are the error states published anywhere?

    I am getting Error 36888 logged on the server 4 times every minute, so all 4 errors would have the same time stamp (4:11:23 PM) and then a minute later (4:12:23 PM) errors would repeat. 

    Network monitor shows 4 LDAP stream terminated at the same time as the errors are logged. 

    The server sends a unbindRequest  packet to the domain controller and gets an RST packet instead of the FIN.

    If I attempt to access this URL HTTP://SERVER:443 I get Schannel error logged with state 1203, which is not the state I am troubleshooting.

    Any help is greatly appreciated. 

    Thanks


    Monday, June 27, 2016 8:46 PM
  • After about 1 year having the same problem that you’ve reported here, I finally found the solution, at least for my problem. I have a Windows Server 2012 to which several clients connect through a socket to exchange information: Customers, Products, Sales, etc.

    Every once in a while (more than less) the clients got disconnected (Winsock error 10054: connection has been reset) and I see in the event viewer a “SCHANNEL 36888” event, right at the same time when the client got disconnected.

    It has nothing to do with IIS or any other product it’s just the “Security Provider” of Microsoft (I suppose).  

    The solution I finally found is this:

    At the server side launch regedit and navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0

    In there you’ll find a Sub key named “Client” and it contains a REG_DWORD value “DisableByDefault = 1”, which is just fine, if it is not 1 change it to 1, is what we need

    Now (the magic part), you need to create another Sub key under SSL 2.0 (just at the same level as “Client” is) call it “Server”, inside that Sever create a REG_DWORD Value, name it “Enabled” and put a value of 0 (zero), see the image. Well, after I press the Submit button they don't allow me to put images (security provider I guess), so I put it in text, but it's not the same:

    • . . . . . 
    • Protocols
    •      SSL 2.0
    •          Client 
    •          Server

    Inside Client: DisableByDefault = 1

    Inside Sever: Enabled = 0

    Image: (Not allowed, sorry)

    Restart the server and I hope it helps; I’ve got no more disconnects since then.

    Okay, I'm sorry but after a week working it started to fail again. So, this solution may work in part but for some reason it's not working now, may be a windows update or simple I was lucky during a week. 


    • Edited by J-A-Mesa Friday, July 29, 2016 8:42 AM
    Monday, July 25, 2016 6:32 PM
  • - System 

      - Provider 

       [ Name]  Schannel 
       [ Guid]  {1F678132-5938-4686-9FDC-C8FF68F15C85} 
     
       EventID 36888 
     
       Version 0 
     
       Level 2 
     
       Task 0 
     
       Opcode 0 
     
       Keywords 0x8000000000000000 
     
      - TimeCreated 

       [ SystemTime]  2016-09-25T18:06:04.807584300Z 
     
       EventRecordID 43430 
     
       Correlation 
     
      - Execution 

       [ ProcessID]  628 
       [ ThreadID]  2076 
     
       Channel System 
     
       Computer xxx-xxx.local 
     
      - Security 

       [ UserID]  S-1-5-21-3279460019-2879344672-4121823168-1148 
     

    - EventData 

      AlertDesc 48 
      ErrorState 552 

    • Edited by MAyubi Tuesday, September 27, 2016 7:25 AM
    Tuesday, September 27, 2016 7:24 AM
  • Which audit GPO's were causing your problem? Was there a specific policy that was causing the error?
    Wednesday, October 26, 2016 2:16 AM
  • Hello, I started to experience this same error with a Windows 7 pro trying to connect via RDWeb to a Windows server 2012.

    The client gets the applications served, but when trying to lauch an app, it gets that error, and connection fails:

       "Error TLS is 10. Error Schannel is 1203". Origin: Schannel. Event ID: 36888.

    I installed a certificate on the client, but I would say that I am completely sure that is the certificate exported from the server, and the same certificate installed on other clients at the present, that are not experiencing any problem at all.

    May you please clarify a bit more your comment that "multiple certificates for Server authentication on the web server genering this response on the client" was the problem?

    You mean that there were several certificates installed on the server at the same time and that caused the problem? 

    thanks!

    Sergio.

    Friday, November 4, 2016 11:39 PM
  • Hello,

    In my scenario , server niter have IIS nor Exchange but I'm still getting below error.

    Server 2008 R2 Snd x64

    The following fatal alert was generated: 20. The internal error state is 960.  

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" /> 
      <EventID>36888</EventID> 
      <Version>0</Version> 
      <Level>2</Level> 
      <Task>0</Task> 
      <Opcode>0</Opcode> 
      <Keywords>0x8000000000000000</Keywords> 
      <TimeCreated SystemTime="2016-11-09T19:00:00.949242500Z" /> 
      <EventRecordID>432308</EventRecordID> 
      <Correlation /> 
      <Execution ProcessID="616" ThreadID="6524" /> 
      <Channel>System</Channel> 
      <Computer>XXXXXXXXXXX</Computer> 
      <Security UserID="S-1-5-18" /> 
      </System>
    - <EventData>
      <Data Name="AlertDesc">20</Data> 
      <Data Name="ErrorState">960</Data> 
      </EventData>
      </Event>


    Friday, November 11, 2016 11:26 AM