Mark Minasi's Reader Forum
Mark Minasi's Reader Forum
Home | Profile | Register | Active Topics | Active Polls | Members | Search | FAQ | Minasi Forum RSS Feed
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 HALP! Questions on Windows and Windows Server
 Active Directory
 2008 R2 SP1 DC with schannel 36887 error
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Rastor728
Major Contributor

USA
813 Posts
Status: offline

Posted - 08/22/2011 :  3:44:52 PM  Show Profile  Reply with Quote
I have a brand new 2008 R2 Enterprise Domain Controller (SP1 and fully patched) that is generating an event 36887 schannel error "fatal alert 46" message about every four minutes.

The only installed role is Active Domain Services and DNS, the only "Features" installed are WINS and Group Policy Management.

Everything I find is rather vague, or it only relates to IIS, SSL, or Exchange, none of which is installed or running on this computer.

Any "new" ideas?

For me, the worst part of playing golf, by far, has always been hitting the ball...Dave Barry

wkasdo
Administrator

Netherlands
7678 Posts
Status: offline

Posted - 08/22/2011 :  4:16:22 PM  Show Profile  Click to see wkasdo's MSN Messenger address  Reply with Quote
Can you post the full event?

Make it as simple as you can, but not simpler -- Albert Einstein
Go to Top of Page

Rastor728
Major Contributor

USA
813 Posts
Status: offline

Posted - 08/24/2011 :  09:40:45 AM  Show Profile  Reply with Quote
quote:
Originally posted by wkasdo

Can you post the full event?



Log Name: System
Source: Schannel
Date: 8/24/2011 6:39:59 AM
Event ID: 36887
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: server.domain.ORG
Description:
The following fatal alert was received: 46.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
<EventID>36887</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2011-08-24T13:39:59.630600600Z" />
<EventRecordID>4805</EventRecordID>
<Correlation />
<Execution ProcessID="496" ThreadID="1140" />
<Channel>System</Channel>
<Computer>server.domain.ORG</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="AlertDesc">46</Data>
</EventData>
</Event>

For me, the worst part of playing golf, by far, has always been hitting the ball...Dave Barry
Go to Top of Page

wkasdo
Administrator

Netherlands
7678 Posts
Status: offline

Posted - 08/24/2011 :  10:06:13 AM  Show Profile  Click to see wkasdo's MSN Messenger address  Reply with Quote
That was helpful. According to my information, your "server.domain.org" has a problem with a certificate, probably an invalid one. It's not a problem with the DC functionality.

Make it as simple as you can, but not simpler -- Albert Einstein
Go to Top of Page

Rastor728
Major Contributor

USA
813 Posts
Status: offline

Posted - 08/24/2011 :  10:23:11 AM  Show Profile  Reply with Quote
quote:
Originally posted by wkasdo

That was helpful. According to my information, your "server.domain.org" has a problem with a certificate, probably an invalid one. It's not a problem with the DC functionality.


But it didn't happen to say which/what certificate it was having trouble with did it?

As a stand alone server this was not generating this error, but after it was promoted it has been.

I don't have this error showing up on my other DC's, which are Windows 2008 STD servers (one virtual, and one physical).

For me, the worst part of playing golf, by far, has always been hitting the ball...Dave Barry
Go to Top of Page

wkasdo
Administrator

Netherlands
7678 Posts
Status: offline

Posted - 08/24/2011 :  10:38:33 AM  Show Profile  Click to see wkasdo's MSN Messenger address  Reply with Quote
so, what machine is server.domain.org? That's the one you should be looking at.

Make it as simple as you can, but not simpler -- Albert Einstein
Go to Top of Page

Rastor728
Major Contributor

USA
813 Posts
Status: offline

Posted - 08/24/2011 :  11:17:16 AM  Show Profile  Reply with Quote
quote:
Originally posted by wkasdo

so, what machine is server.domain.org? That's the one you should be looking at.



That is the new domain controller, and the errors are from it's System Log.

There are no similar errors in either of the other DC's or in the CA's logs.

For me, the worst part of playing golf, by far, has always been hitting the ball...Dave Barry
Go to Top of Page

wkasdo
Administrator

Netherlands
7678 Posts
Status: offline

Posted - 08/24/2011 :  11:22:29 AM  Show Profile  Click to see wkasdo's MSN Messenger address  Reply with Quote
So does it have IIS? Or anything else that might use a certificate? 3rd party app, maybe?

(edit)

Wait, you already said you don't have IIS. What about any other apps, then? The info I see points 100% to a certificate problem.

Make it as simple as you can, but not simpler -- Albert Einstein
Go to Top of Page

Rastor728
Major Contributor

USA
813 Posts
Status: offline

Posted - 08/24/2011 :  11:43:06 AM  Show Profile  Reply with Quote
quote:
Originally posted by wkasdo

So does it have IIS? Or anything else that might use a certificate? 3rd party app, maybe?

(edit)

Wait, you already said you don't have IIS. What about any other apps, then? The info I see points 100% to a certificate problem.



That is what has me confused.

I have only install the AD Service role, and the WINS and SNMP features.

For me, the worst part of playing golf, by far, has always been hitting the ball...Dave Barry
Go to Top of Page

wkasdo
Administrator

Netherlands
7678 Posts
Status: offline

Posted - 08/24/2011 :  11:55:04 AM  Show Profile  Click to see wkasdo's MSN Messenger address  Reply with Quote
Ok. can you take a network trace, and look for attempted SSL connections? That solved a number of cases.

Functionally, this may not be a problem. The error indicates that an SSLv1 attempt was rejected, but does not exclude further succesful connections.

Make it as simple as you can, but not simpler -- Albert Einstein
Go to Top of Page

wkasdo
Administrator

Netherlands
7678 Posts
Status: offline

Posted - 08/24/2011 :  11:58:05 AM  Show Profile  Click to see wkasdo's MSN Messenger address  Reply with Quote
Of course, this does imply some sort of app doing this. Maybe systems management, AV whatever. It's not default Windows behaviour .... AFAIK ;-)

Btw, check HKLM\system\ccs\control\security\providers\schannel\ for value Event Logging. If it has a value, try setting it to 0. That should stop the messages. Not sure if that is the smart thing to do though, if there is a problem you need to know about it.

Make it as simple as you can, but not simpler -- Albert Einstein
Go to Top of Page

Rastor728
Major Contributor

USA
813 Posts
Status: offline

Posted - 08/24/2011 :  12:28:44 PM  Show Profile  Reply with Quote
I will take a look at my System Center Essentials to see if that agent is installed and running correctly. I remember seeing a certificate in the Enterprise Trust from that system.


For me, the worst part of playing golf, by far, has always been hitting the ball...Dave Barry
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Mark Minasi's Reader Forum © 2002-2011 Mark Minasi Go To Top Of Page
This page was generated in 0.05 seconds. Snitz Forums 2000