none
Schannel Errors 36874 and 36888 RRS feed

  • Question

  • Greetings,

    The scenario is the following: 1 Windows Server 2008 R2 SP1 (patched up to date).

    There are two errors that shows every 10 seconds:

    Log Name:      System
    Source:        Schannel
    Date:          19/07/2012 14:59:58
    Event ID:      36874
    Task Category: None
    Level:         Error
    Keywords:      
    User:          SYSTEM
    Computer:      Server.Mydomain.com
    Description:
    An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
        <EventID>36874</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2012-07-19T19:59:58.511146300Z" />
        <EventRecordID>5908</EventRecordID>
        <Correlation />
        <Execution ProcessID="484" ThreadID="524" />
        <Channel>System</Channel>
        <Computer>Server.Mydomain.com</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="Protocol">SSL 3.0</Data>
      </EventData>
    </Event>





    Log Name:      System
    Source:        Schannel
    Date:          19/07/2012 14:59:58
    Event ID:      36888
    Task Category: None
    Level:         Error
    Keywords:      
    User:          SYSTEM
    Computer:      Server.Mydomain.com
    Description:
    The following fatal alert was generated: 40. The internal error state is 107.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
        <EventID>36888</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2012-07-19T19:59:58.511146300Z" />
        <EventRecordID>5909</EventRecordID>
        <Correlation />
        <Execution ProcessID="484" ThreadID="524" />
        <Channel>System</Channel>
        <Computer>Server.Mydomain.com</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="AlertDesc">40</Data>
        <Data Name="ErrorState">107</Data>
      </EventData>
    </Event>

    Note: This server has IIS installed (requirement for web console of System Center Operations Manager 2012)

    The questions are:

    Is this behavior normal?

    if no

    How to fix this problem?

    Thanks in advance!

    Tuesday, July 24, 2012 9:18 PM

Answers

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    If everything is working fine, it is OK that we just turn off these two error reporting.

    We can check the information in this thread:

    Getting Schannel 36874 errors on my CAS/HT servers

    http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/7b95a21c-67fc-49a9-8198-b9e364523d27/

    Also if you need any help regarding IIS, we can seek help in our IIS forum:

    Internet Information Server (IIS)

    http://social.technet.microsoft.com/Forums/en-US/iises/threads

    Hope the information can be useful to you.

    Regards

    Kevin
    • Proposed as answer by ARNAERT Marc Wednesday, July 25, 2012 9:15 AM
    • Unproposed as answer by ARNAERT Marc Wednesday, July 25, 2012 9:15 AM
    • Marked as answer by 朱鸿文 Wednesday, August 1, 2012 1:37 AM
    Wednesday, July 25, 2012 2:55 AM
  • Hi,

    This error can be received due to an incompatible browser problem and SSL 3.0 connection request cannot be handled.

    As discussed, we can modify that registry key to disable the additional secure channel event logging if every works fine.

    Also we can check the thread below. It mentioned another scenario in which the "The following fatal alert was generated: 40. The internal error state is 107." error could be received:

    Why does Window's SSL Cipher-Suite get restricted under certain SSL certificates?

    http://serverfault.com/questions/166750/why-does-windows-ssl-cipher-suite-get-restricted-under-certain-ssl-certificates

    (Note: Since the site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.)

    Regards

    Kevin
    • Marked as answer by 朱鸿文 Wednesday, August 1, 2012 1:37 AM
    Thursday, July 26, 2012 2:21 AM

All replies

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    If everything is working fine, it is OK that we just turn off these two error reporting.

    We can check the information in this thread:

    Getting Schannel 36874 errors on my CAS/HT servers

    http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/7b95a21c-67fc-49a9-8198-b9e364523d27/

    Also if you need any help regarding IIS, we can seek help in our IIS forum:

    Internet Information Server (IIS)

    http://social.technet.microsoft.com/Forums/en-US/iises/threads

    Hope the information can be useful to you.

    Regards

    Kevin
    • Proposed as answer by ARNAERT Marc Wednesday, July 25, 2012 9:15 AM
    • Unproposed as answer by ARNAERT Marc Wednesday, July 25, 2012 9:15 AM
    • Marked as answer by 朱鸿文 Wednesday, August 1, 2012 1:37 AM
    Wednesday, July 25, 2012 2:55 AM
  • Hi

    I had the same problem who solve by putting the numeric val 0 into registry localised at :

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

    regards,

    Wednesday, July 25, 2012 9:16 AM
  • Hi Kevin Zhu,

    I would like to know what is the meaning of 40 and what is the meaning of 107 in the following message (second above error):

    "The following fatal alert was generated: 40. The internal error state is 107."

    Thanks!

    Wednesday, July 25, 2012 4:18 PM
  • Hi,

    This error can be received due to an incompatible browser problem and SSL 3.0 connection request cannot be handled.

    As discussed, we can modify that registry key to disable the additional secure channel event logging if every works fine.

    Also we can check the thread below. It mentioned another scenario in which the "The following fatal alert was generated: 40. The internal error state is 107." error could be received:

    Why does Window's SSL Cipher-Suite get restricted under certain SSL certificates?

    http://serverfault.com/questions/166750/why-does-windows-ssl-cipher-suite-get-restricted-under-certain-ssl-certificates

    (Note: Since the site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.)

    Regards

    Kevin
    • Marked as answer by 朱鸿文 Wednesday, August 1, 2012 1:37 AM
    Thursday, July 26, 2012 2:21 AM
  • Disabling logging of events simply to "hide the error" is never good security practice.

    To understand what the zero (0) does at this Registry key, have a look at "How to enable Schannel event logging in IIS" (http://support.microsoft.com/en-us/kb/260729).

    A better solution is to configure appropriate cipher suites that your IIS web server supports. See the OpenSSL cookbook for an ordered list of cipher suites: https://www.feistyduck.com/books/openssl-cookbook/

    In 2015, that means disabling SSL v2 and SSL v3.


    Friday, April 10, 2015 12:34 AM
  • Disabling logging of events simply to "hide the error" is never good security practice.


    Amen & thank you for restating what I've been saying for years now.  It seems this is always the answer from MSSupport: stop logging the error & the problem goes away.  SMDH. 

    We're logging the event for a reason: we want to know when an error occurs and what the error code means; only then can we determine whether or not the error is something to address. 

    For example, we went to great strides to ensure we protected our servers against Heartbleed, Shellshock, Poodle... etc., etc., etc. & now we want to know if any of those changes negatively impacted our clients. If so, we can work with the client to ensure they are using a compatible browser or, in the case that they aren't & are unable to, we can take steps to mitigate the errors without affecting security.

    How, in 2015, Microsoft Support can offer the suggestion that disabling logging is the answer to ANYTHING is beyond me.

    Tuesday, September 22, 2015 11:58 AM
  • If everything works... the error is just the result of "trail and error" between two services creating a secure connection.    

    So if everything works.... disable the notification because you don't care to see the normal trial and error that leads up to the successful connection.

    This is a 100% correct answer.    

    Stop trashing people for things you don't understand. 

    Thursday, July 26, 2018 8:20 PM
  • Stop trashing people for things you don't understand. 

    Wow, posting on a six year old thread for a negative comment? Seriously?

    As stated above, it is best practice to investigate any and all errors. Afterwards, take the appropriate action. If the appropriate action is to disable the alert via a Registry setting, so be it.

    As per the OP, why flag this as an error with a red icon in the Event log? This red icon error means action must be taken to fix a broken situation. All the replies to the poster indicate that this is actually a situation that can be ignored. If that is the case, why not set this at a warning level by default?

    Thursday, July 26, 2018 10:35 PM