The following fatal alert was generated 10 the internal error state is 1203

Back to top button

Schannel fatal error 10 1203

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Asked by:

Question

I have a server, running Server 2012 R2 Standard, and it is generating the following error in the Event Logs nearly 100 times per day.

Log Name: System

General: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203.

Now, I have done a TON of searching online, and the only explanations that I have found relates to TLS and IIS. However: 1) This is a server and nobody is using the server to access the internet, so solutions related to IE are not the issue, and 2) This server is not running IIS, so I can’t see this being the issue.

Is there ANYONE that has a solution other than «ignore it», or «turn off logging»?

Thanks for your post.

If everything is working fine, it is OK that we just turn off the error reporting.

There is a good explanation of this in the following article:

SChannel Errors on SCOM Agent

Why Schannel EventID 36888 / 36874 Occurs and How to Fix It

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

We can check the information in this thread:

Schannel Errors 36874 and 36888

Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Not especially helpful. No.

My last sentence in my post was: «Is there ANYONE that has a solution other than «ignore it», or «turn off logging»?»

Your reply was to just turn off the error reporting.

I’m so damn sick of Microsoft’s «just ignore it» response to these types of Events.

This is a server. I don’t like to have ANY Error-class Event IDs in my logs, especially those that occur a multitude of times during the course of a day.

If it wasn’t for certain application software that needs the MS environment, I would be jumping ship to some flavor of linux.

There is obviously a reason for these events being logged. I’ve pursued all of the advice that I could find online, which mostly pertains to IIS, which this server is not running. As these messages reference potential security issues, it would think that it would be important to address the underlying cause of these Events and not just IGNORE them!!

Источник

Schannel fatal error 10 1203

Вопрос

I have a server, running Server 2012 R2 Standard, and it is generating the following error in the Event Logs nearly 100 times per day.

Log Name: System

General: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203.

Now, I have done a TON of searching online, and the only explanations that I have found relates to TLS and IIS. However: 1) This is a server and nobody is using the server to access the internet, so solutions related to IE are not the issue, and 2) This server is not running IIS, so I can’t see this being the issue.

Is there ANYONE that has a solution other than «ignore it», or «turn off logging»?

Все ответы

Thanks for your post.

If everything is working fine, it is OK that we just turn off the error reporting.

There is a good explanation of this in the following article:

SChannel Errors on SCOM Agent

Why Schannel EventID 36888 / 36874 Occurs and How to Fix It

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

We can check the information in this thread:

Schannel Errors 36874 and 36888

Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Not especially helpful. No.

My last sentence in my post was: «Is there ANYONE that has a solution other than «ignore it», or «turn off logging»?»

Your reply was to just turn off the error reporting.

I’m so damn sick of Microsoft’s «just ignore it» response to these types of Events.

This is a server. I don’t like to have ANY Error-class Event IDs in my logs, especially those that occur a multitude of times during the course of a day.

If it wasn’t for certain application software that needs the MS environment, I would be jumping ship to some flavor of linux.

There is obviously a reason for these events being logged. I’ve pursued all of the advice that I could find online, which mostly pertains to IIS, which this server is not running. As these messages reference potential security issues, it would think that it would be important to address the underlying cause of these Events and not just IGNORE them!!

Источник

Schannel fatal error 10 1203

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Asked by:

Question

I have a server, running Server 2012 R2 Standard, and it is generating the following error in the Event Logs nearly 100 times per day.

Log Name: System

General: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203.

Now, I have done a TON of searching online, and the only explanations that I have found relates to TLS and IIS. However: 1) This is a server and nobody is using the server to access the internet, so solutions related to IE are not the issue, and 2) This server is not running IIS, so I can’t see this being the issue.

Is there ANYONE that has a solution other than «ignore it», or «turn off logging»?

Thanks for your post.

If everything is working fine, it is OK that we just turn off the error reporting.

There is a good explanation of this in the following article:

SChannel Errors on SCOM Agent

Why Schannel EventID 36888 / 36874 Occurs and How to Fix It

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

We can check the information in this thread:

Schannel Errors 36874 and 36888

Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Not especially helpful. No.

My last sentence in my post was: «Is there ANYONE that has a solution other than «ignore it», or «turn off logging»?»

Your reply was to just turn off the error reporting.

I’m so damn sick of Microsoft’s «just ignore it» response to these types of Events.

This is a server. I don’t like to have ANY Error-class Event IDs in my logs, especially those that occur a multitude of times during the course of a day.

If it wasn’t for certain application software that needs the MS environment, I would be jumping ship to some flavor of linux.

There is obviously a reason for these events being logged. I’ve pursued all of the advice that I could find online, which mostly pertains to IIS, which this server is not running. As these messages reference potential security issues, it would think that it would be important to address the underlying cause of these Events and not just IGNORE them!!

Источник

Schannel fatal error 10 1203

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

We have Exchange 2010 SP2 with all roles installed in one windows 2008 R2 server.

We have renewed our SSL Certificate for Exchnage beofore few days.

And we got following error in event Viewer.

Error 36888 Schannel : The following fatal alert was generated: 10. The internal error state is 1203.

Answers

This event is expected as the client is trying to use the wrong port or the wrong protocol to access the site

So if a user tries to reach owa using http in stead of https, you would get this event (Unless you have configure forwarding from http to https on the server).

The key part is that you can ignore the error. I see these all the time.

The errors are coming from Windows Server 2008 R2 (IIS to be more particular).

If a user tries to access a web site using HTTP but specifies an SSL port in the URL then this event is logged.

This event is expected as the client is trying to use the wrong port or the wrong protocol to access the site

The error 1203 indicates invalid ClientHello from the client.

This is By design and you can ignore this warning.

This question has been asked and answered several times in the last few weeks. A search would have answered your question quicker.

To remove the errors you can use following article:

Thanks for your reply. I have searched lot before posting into forum. and i know the error can be disabled.but we need to find its root cause.

We are using Exchange since long time and never face this type of error.

and this type of error started before a week.

We have renewed our exchange SSL before few days.

Is it related to exchange SSL ??

The key part is that you can ignore the error. I see these all the time.

This event is expected as the client is trying to use the wrong port or the wrong protocol to access the site

So if a user tries to reach owa using http in stead of https, you would get this event (Unless you have configure forwarding from http to https on the server).

Well no, that’s not a fix. A fix would be finding out WHAT client is accessing incorrectly and fixing it so the error goes away.

I’m getting almost the same error, but it’s a 1207, not a 1203, but it just bugs me when people say «oh, that’s expected behavior». Sorry, no, expected behavior is clients using the CORRECT PORT to access the CORRECT SERVER.

Sure, an occasional error is no big deal, but we’re getting 2-3 of these PER MINUTE. Something is broken, and ignoring this just floods valid errors out of the event log.

Ever find an answer John ?

Nope, never did — also, it should be noted I went by the error number on my forum search, but this is not on an exchange server, it’s on a Server 2008R2 firewall server.

You can understand why I might be a bit perturbed over unexplained security issues on a firewall .

It’s driving me crazy. It’s absolutely flooding the event log.

Well no, that’s not a fix. A fix would be finding out WHAT client is accessing incorrectly and fixing it so the error goes away.

I’m getting almost the same error, but it’s a 1207, not a 1203, but it just bugs me when people say «oh, that’s expected behavior». Sorry, no, expected behavior is clients using the CORRECT PORT to access the CORRECT SERVER.

Sure, an occasional error is no big deal, but we’re getting 2-3 of these PER MINUTE. Something is broken, and ignoring this just floods valid errors out of the event log.

I totally agree on you with this and even microsoft agrees! «The following alert was generated: 10» (from eventID.net) means «unexpected_message» and according to the technect article How TLS/SSL Works that means «Received an inappropriate message This alert should never be observed in communication between proper implementations. This message is always fatal.»

Mark the last word «fatal».

Would be nice to have an official way of troubleshooting this message and getting rid of it properly and not just silence/mute it.

One thing I did find out is that you can get more verbose logging from schannel using the following registry settings:

HKLMSYSTEMCurrentControlSetControlSecurityProvidersSchannel
Value Name: EventLogging
Value Type: REG_DWORD
Value Data: 7

After troubleshooting set it back to 1, because it fills the system eventlog in no time.

WHO is using an invalid port in the URL? This has to be a machine process that is constructing the URL. My users do not use a browser to get email, just an outlook client or Iphone/android app. In addition the few that use OWA are factory workers clicking a link that does not specify a port. They don’t know a port number from a hole in the wall.

I am with those who say ignoring the error is no solution. It fills up the event log, and gives Microsoft something to blame a problem on when they see it.

This answer is incorrect and needs to be deleted. It is missing leading.

If this were true, I could try to access my web site using the wrong protocol and generate tons of these errors. I can not do this. From my phone, my tablet, my laptop, my computer, another server, some else’s laptop and computer, my dev PC, my server, or another server.

Something else is causing the error, none of these machines could replicate the log entry.

I know this thread is a bit old. But thought a recent experience might be nice to add. for future reference 😛

We had a strange outage on one of our serves after someone apparently used the gpedit to Check SSL Chipher Suite order ( gpedit.msc / Administrative Templates / Network / SSL Configuration settings / SSL Cipher suite Order )
And manged to save a non working setup. This leaves a nice little timebomb that will activate on next boot. And in our case left our server unable to establish any type of secure channel (even RDP connections ). The solution then was to set this setting to «Not Configured» and reboot server.

We also had these:

«An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.»

I also had the «The following fatal alert was generated: 10. The internal error state is 1203.» errors in Event Viewer that repeated every 1 to 2 minutes. I also have IIS installed on my Windows Server 2008 R2 but am not using it (is not configured).

I ran a third party utility called «TcpLogView» from Nirsoft which shows you connections made to the server ports in real-time, and I saw 2 IPs trying to conect to port 443 at regular intervals of 1 to 2 minutes.

I blocked those two IPs in firewall and that also stopped the «fatal alert» errors appearing in Event Viewer. So apparently that’s what was causing it. If that is normal and would be caused by a legit website visitor (if I had the server configured and open) or if the «attacker» was doing something unusual to connect, I don’t know. But if you have a server on-line it is very normal to see hackers sniffing around, port scanning and trying to connect to/exploit every little service that’s open. You just have to have tools handy and monitor the activity from time to time.

Источник

Several users are reporting that their Event Viewer is filled with Schannel errors with the same error message: The following fatal alert was generated 10: The internal error state is 10.  This particular error is mainly encountered in Windows Server versions.

Note: Schannel is one of the Security Support Providers. All Windows operating system versions are designed to implement the TLS/SSL protocols with a dynamic-link library (DDL) called Schannel – this is supplied with the operating system. Schannel errors are quite common and are considered more of a security feature than a failure.

We investigated this particular error by looking at various user reports and the methods that they used to get the issue resolved. As it turns out, there are several scenarios that will end up triggering this particular error log:

• Lots of non-SSL requests are flooding the IIS (Internet Information Services) HTTPS – It’s very likely that the error appears because the system is dealing with a lot of non-SSL requests, which forces Schannel to log them as errors.
• The errors are triggered by SSLv3 communications – This is known to occur when cold clients are trying to connect to the network or when there are network issues between the clients and the RDP server.
• Failed connection through port 3389 – This type of failure is correlated with reset TCP connections. It might occur when someone is attempting to connect and log in through port 3389 and fails the system security.
• One or more certificates are expired – If you’re encountering this issue on a server that acts purely as a Domain controller, it’s possible that you’re seeing this error because you need to update your security certificates.
• Security toolbar is inspecting Schannel’s TLS traffic – This scenario is known to occur with certain security toolbars, anti-malware programs, and several AV suites. If this is the case, the errors should be considered transient.
• User tries to access a web site using HTTP using an SSL port – If the client is trying to use the wrong port or the wrong protocol to access a site, an event of this kind is logged.

If you’re struggling to resolve this particular issue and prevent your event viewer from being filled with Schannel, this article will provide you with a collection of troubleshooting steps. Below you have several methods that other users in a similar situation have used to get the issue resolved.

For the best results, follow the methods below in order that they are presented until you encounter a fix that is effective in your particular scenario.

Method 1: Uninstalling programs that might be triggering the error

Several users that have been encountering this issue while trying to set up Outlook using Outlook Anywhere, have reported that for them, the issue was caused by a ‘security toolbar’. As it turns out, these things might be inspecting Schannel’s TLS traffic, which mind end up triggering the ‘The following fatal alert was generated 10: The internal error state is 10′.

If you think this scenario is applicable to your current situation, you might be able to resolve the issue by uninstalling the 3rd party security software / AV toolbar via Add/Remove Programs. Here’s a quick guide on how to do this:

1. Press Windows key + R to open up a Run dialog box. Then, type “appwiz.cpl” and press Enter to open up the Programs and Features window.
2. Inside Programs and Features, look for the security toolbar that you suspect is inspecting the Schannel TLS traffic and uninstall it by right-clicking on it and choosing Uninstall.
3. Follow the on-screen prompts to complete the uninstallation. Once the process is complete, restart your computer and see if the issue has been resolved at the next startup.

If you’re still seeing the same ‘The following fatal alert was generated 10: The internal error state is 10′  Schannel errors, move down to the next method below.

Method 2: Allowing Local Activation Security Check Exemptions (if applicable)

Some users reported that they managed to resolve the issue after enabling a certain policy using the Group Policy Editor. But keep in mind that this method will not be applicable if you’re trying to replicate the steps on a Windows version that doesn’t include the Group Policy Editor.

Note: You can follow this article (here) to install the Group Policy Editor on Windows 10 home versions.

When you are ready to use the Group Policy Editor, follow the steps below:

1. Press Windows key + R to open up a Run dialog box. Then, type “gpedit.msc” and press Enter to open up the Group Policy Editor.
2. Inside the Group Policy Editor, use the right-hand menu to navigate to the following location:

   Computer Configuration > Administrative Templates > System > Distributed COM > Application Compatibility
   

3. Then, set the state of the “Allow local activation security check exemptions” to Enabled.
4. Close the Group Policy Editor and restart your computer. At the next startup, see if the issue has been resolved by opening the Event Viewer.

If you’re still seeing ‘The following fatal alert was generated 10: The internal error state is 10′  Schannel-originating errors, move down to the next method below.

Method 3: Disabling Schannel event logging

On older Windows version, the value for Schannel event logging is 0x0000, which means that no Schannel events are logged. However, on newer Windows versions, the operating system will automatically log every Schannel event unless specifically told not to do so.

Several users encountering the ‘The following fatal alert was generated 10: The internal error state is 10’ error have reported that the issue was resolved entirely after they navigated to the Registry associated with Schannel and set its value so that event logging is disabled.

Warning: This method should only be followed if you are confident that the errors are transient (this is often the case with Schannel errors). Keep in mind that the method below will not treat the cause of the issue. It will simply instruct your system to stop logging the errors in the Event Viewer.

If you want to prevent your system from logging Schannel errors, you’ll need to disable Schannel logging via the Registry Editor. Here’s a quick guide on how to do this:

1. Press Windows key + R to open up a Run dialog box. Then, type “regedit” and press Enter to open Registry Editor.
2. Inside the Registry Editor, use the left-hand menu to navigate to the following location:

   HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurityProvidersSCHANNEL

3. Once you get there, move over to the right-hand menu and double-click on EventLogging.

   Note: If you don’t have an EventLogging value, go to the Edit tab and choose New > DWORD (32- bit) Value. Then, name it EventLogging and hit enter to save the newly created value.

4. Next, set the Value data of the EventLogging DWORD to 0 or 0x0000 (this means that the errors will no longer be logged in). Then, make sure that the Base is set to Hexadecimal and click Ok to save the changes you’ve just made.
5. Clore Registry Editor and restart your computer. Starting with the next computer startup, you should no longer notice ‘The following fatal alert was generated 10: The internal error state is 10′ errors piling up in your Event Viewer.

Случай с сертификатом для RD Gateway.

На этот раз случай небольшой, но интересный.  Один из клиентов попросил настроить удаленный доступ к приложению на второстепенном сервере. Вооружившись чаем и моим контрольным списком(я сам в него регулярно «подглядываю») я приступил к работе. Основная часть работы была сделана менее чем за 40 минут. Все было настроено, сертификат выпущен, RemoteApp приложение опубликовано в виде rdp-файла. Однако получить  доступ к RemoteApp приложению через RD Gateway я не смог. В ошибке были явные указания на проблему с сертификатом на сервере RD Gateway. В оснастке RD Gateway Manager я увидел следующую картину

Я попытался еще раз принудительно назначить нужный сертификат, однако результата это не дало.

Изучение журнала ошибок показало такую вот ошибку:

Event ID: 103
Task Category: (1)
Level: Critical
User: NETWORK SERVICE
Computer: brok-rodc-01
Description:
The Remote Desktop Gateway service does not have sufficient permissions to access the Secure Sockets Layer (SSL) certificate that is required to accept connections. To resolve this issue, bind (map) a valid SSL certificate by using RD Gateway Manager. For more information, see "Obtain a certificate for the RD Gateway server" in the RD Gateway Help. The following error occurred: "2148081675".

Она и помогла решить проблему, в ошибке явно указывалось на проблему с  недостаточностью прав у учетной записи NETWORK SERVICE. Я открыл оснастку «Сертификаты» для учетной записи локального компьютера(имеется в виду сервер RD Gateway, так что корректнее было бы сказать для учетной записи сервера), зашел в персональные сертификаты. Выделил нужный мне сертификат, и через контекстное меню добрался до пункта «Mange Private Keys». Там меня ожидал вот такой вот сюрприз:

Учетной записи NETWORK SERVICE не было в списке ACL посему доступа она и не получала. После того как я добавил эту УЗ  и дал ей необходимые права- у меня все заработало. Меня только беспокоила незнакомая учетная запись, которую я удалил.  По ее номеру я понял, что это не УЗ пользователя, а т.н. «Хорошо известный SID», что и подтвердил technet:

SID: S-1-5-5-X-Y
 Название: Сеанс входа в систему
 Описание: Сеанс входа в систему. Значения X и Y для этих идентификаторов SID меняются в каждом сеансе.

Если кому интересно может самостоятельно почитать здесь. Как я понял многие вещи имеют такой SID, в том числе Рабочий стол, обычно при выходе из системе этот SID удаляется.

Не понятным осталось почему для NETWORK SERVICE не были заданны нужные права.

P.S. Что касается доменной среды, когда центр сертификации работает в режиме Enterprise, возможна проблема с выпуском сертификата, когда в оснастке центра сертификации нет шаблона «Web Server». Для этого необходимо зайти в «Certeficete Template Console» и опубликовать сертификат в AD. Кроме того надо не забыть там же на вкладе безопасность дать права группе Authenticated Users право Enroll.

P.S.#2 В данном сценарии как в домене, так и во вне доменной среде начинает появляться ошибка Schanell

Log Name: System
Source: Schannel
Event ID: 36888
User: SYSTEM
Description:
The following fatal alert was generated: 10. The internal error state is 1203.

Как я понял из справки, ошибка генерируется  IIS когда клиент пытается получить доступ по протоколу HTTP вместо HTTPS. Возможно, это как то связанно с сертификатом с полями SAN, но Майкрософт предлагает отключить логирование ошибок Schanell. Если разберусь обновлю статью.