- Remove From My Forums
schannel — EventID 36888 — fatal alert 40 — error state (1205,1207, etc)
-
Question
-
In response to the recent SSL 3.0 vulnerabilities, we have been locking down SSL settings on IIS servers. As a result (not surprisingly) we are seeing more schannel errors in the event log.
I understand that many of these are just «noise» and that schannel logging can be disabled via a registry setting, however we are wondering if the error codes will tell us which cypher they were attempting to use, so we can determine if our SSL
settings are acceptable, or too restrictive.I found a reference that describes what the fatal alert codes mean (i.e. 40 = TLS1_ALERT_HANDSHAKE_FAILURE) — but I cannot find a reference code for the internal error states (1203, 1205, 1207). Can anyone point me towards such a reference?
Alternatively, here is a sampling of the schannel errors — do any of them indicate a SSL configuration problem on the server side?
EVENT ID 36888
- The following fatal alert was generated: 40. The internal error state is 1207.
- The following fatal alert was generated: 40. The internal error state is 1205.
- The following fatal alert was generated: 10. The internal error state is 1203.
- The following fatal alert was generated: 20. The internal error state is 960.
EVENT ID 36874
- An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection
request has failed. - An TLS 1.1 connection request was received from a remote client application, but none of the cipher suites supported
by the client application are supported by the server. The SSL connection request has failed - An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection
request has failed. - An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection
request has failed.
EVENT ID 36887
- The following fatal alert was received: 46.
-
Edited by
Monday, October 27, 2014 2:46 PM
removed footer message
SQL Server 2014 Developer SQL Server 2014 Enterprise SQL Server 2014 Standard SQL Server 2012 Developer SQL Server 2012 Enterprise SQL Server 2012 Standard SQL Server 2008 R2 Developer SQL Server 2008 R2 Enterprise SQL Server 2008 R2 Standard SQL Server 2008 Developer SQL Server 2008 Enterprise SQL Server 2008 Standard More…Less
Symptoms
When you use AlwaysOn Availability Group, Database Mirroring, or Service Broker in Microsoft SQL Server, the encrypted endpoint communication with Transport Layer Security (TLS) protocol version 1.2 fails. Additionally, you receive the following error message in the SQL Server Error log:
Connection handshake failed. An OS call failed: (80090331) 0x80090331(The client and server cannot communicate, because they do not possess a common algorithm.). State 56.
The windows event log will report the following SChannel error:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
Cause
The endpoint communication in SQL Server doesn’t support TLS protocol version 1.2.
Resolution
This issue is fixed in recent versions of SQL Server. The list of SQL Server versions that support TLS protocol version 1.2 is available in the following article in the Microsoft Knowledge Base:
3135244 TLS 1.2 support for Microsoft SQL Server
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the «Applies to» section.
References
Learn about the terminology that Microsoft uses to describe software updates.
Need more help?
null
При неудачном подключении к LDAPs определить причину проблемы со стороны клиента крайне затруднительно по причине «информативности» вывода:
ld = ldap_sslinit("DC.domain", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to DC.domain.
Имея доступ к журналу событий System (Event viewer) на контроллере домена можно определить причину (коих может быть великое множество).
В данной заметке раскажу про часто встречающуюся проблему после конфигурации LDAPS, а именно ошибку аутентификации в Secure Channel (Schannel)
Log Name: System Source: Schannel Date: 21.01.2016 12:28:12 Event ID: 36874 Task Category: None Level: Error Keywords: User: SYSTEM Computer: DC.domain Description: An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
Проблема заключается в том, что по умолчанию TLS 1.2 отключен на стороне сервера.
Конкретно в Вашем случае отключено может быть что угодно (SSL…,TLS….).
Соединение не удается и следом за Event ID: 36874 следует:
Log Name: System Source: Schannel Date: 21.01.2016 12:28:12 Event ID: 36888 Task Category: None Level: Error Keywords: User: SYSTEM Computer: DC.domain Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
Решение
Решением является включение TLS 1.2.
Оперативно это можно выполнить через правку реестра путем создания ключа TLS 1.2ClientDisabledByDefault в ветке реестра HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2ClientDisabledByDefault
Значение ключа DisabledByDefault должно быть выключено (1). 
В случае проблем не с TLS 1.2 действия аналогичны. Более подробно параметры реестра для SCHANNEL можно посмотреть здесь.
I have a peculiar problem where a c# app works on all other machines and other client machines I have tested. But does not establish a connection on my clients Windows Server 2012 hosted by his ISP. This app have been working up to about 2 days ago on this machine according to my client and uses .Net4.5.2. I have no idea what changed the last couple of days unfortunately.
What I have tested on this machine:
- Using Chrome the url works
- Using Edge the url works
- hitting the URL with curl works
- Using IE11 the url does not work
- Using our app does not work
- Using a quick test app does not work
This is the same no matter what settings I change on the server or in the app.
Error from my app:
AuthResponse is null: False
AuthResponse ErrorException: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
at System.Net.HttpWebRequest.GetRequestStream()
at RestSharp.Http.WriteRequestBody(HttpWebRequest webRequest)
at RestSharp.Http.PostPutInternal(String method)
at RestSharp.Http.AsPost(String httpMethod)
at RestSharp.RestClient.DoExecuteAsPost(IHttp http, String method)
at RestSharp.RestClient.Execute(IRestRequest request, String httpMethod, Func`3 getResponse)
AuthResponse ErrorMessage: The request was aborted: Could not create SSL/TLS secure channel.
Error from IE11:
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
Errors From Event Viewer:
A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
A fatal error occurred while creating an SSL client credential. The internal error state is 10013.
There are a lot of these errors in event viewer, I just copied three of them in case they are actually relevant.
What I have tried:
I used IISCrypto to change and configure all manner of settings and testing in between. All with the same results. I have modified my app with quite a few changes I have found by searching all with the same results as well. Some of the code changes I made below:
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
ServicePointManager.Expect100Continue = true;
System.Net.ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
This is not all the changes I tried. I tried all kinds of different variations as well such as only tls1.2. I have used my little test app as well to connect to other https sites like google and my other rest service and no error is reported on this machine.
Our Auth server uses Lets Encrypts certificates and uses OAth and only accepts tls2.1. I have hit another REST Api that we use that also use Lets Encrypt and that is working. I don’t know if I need to update the certificate store (if that is possible), or if there is a setting I’m missing. I’m honestly at a loss here.
Test app source if that helps at all:
static async Task test(string url)
{
// Call asynchronous network methods in a try/catch block to handle exceptions.
try
{
HttpClient httpClient = new HttpClient();
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
var result = await httpClient.GetAsync(url);
MessageBox.Show(result.StatusCode.ToString());
}
catch (HttpRequestException e)
{
MessageBox.Show(e.ToString());
}
}
User-1700775420 posted
my webserver unable to handshake with A10 Load Balancer. as traced through wire shark, the connection from A10 LB getting reset by my webserver immediately after received Client Hello from A10 LB. both end the TLS 1.2 enabled and already set the required Cipher
suites. even I already used NARTAC software to apply the recommended TLS and Ciphers setting.
but issue still not resolved. below two error I found in event viewer. please help to guide me to resolve this issue
Event ID : 36874 — An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
Event ID : 36888 — A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
Wireshark Trace :
Frame 1715: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface DeviceNPF_{AF37DEDF-E8F9-475A-B504-8FFCE3B723D3}, id 0 Ethernet II, Src: Vmware_9c:21:ad (00:50:56:9c:21:ad), Dst: MS-NLB-PhysServer-31_a0:00:00:09 (02:1f:a0:00:00:09) Internet
Protocol Version 4, Src: XXX.XXX.XXX.39, Dst: XXX.XXX.XXX.79 Transmission Control Protocol, Src Port: 443, Dst Port: 13446, Seq: 1, Ack: 115, Len: 0 Source Port: 443 Destination Port: 13446 [Stream index: 27] [TCP Segment Len: 0] Sequence number: 1 (relative
sequence number) Sequence number (raw): 1957420587 [Next sequence number: 1 (relative sequence number)] Acknowledgment number: 115 (relative ack number) Acknowledgment number (raw): 1333508135 0101 …. = Header Length: 20 bytes (5) Flags: 0x014 (RST, ACK)
000. …. …. = Reserved: Not set …0 …. …. = Nonce: Not set …. 0… …. = Congestion Window Reduced (CWR): Not set …. .0.. …. = ECN-Echo: Not set …. ..0. …. = Urgent: Not set …. …1 …. = Acknowledgment: Set …. …. 0… = Push: Not
set …. …. .1.. = Reset: Set [Expert Info (Warning/Sequence): Connection reset (RST)] [Connection reset (RST)] [Severity level: Warning] [Group: Sequence] …. …. ..0. = Syn: Not set …. …. …0 = Fin: Not set [TCP Flags: ·······A·R··]
Window size value: 0 [Calculated window size: 0] [Window size scaling factor: 256] Checksum: 0x5792 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 1714] [The RTT to ACK the segment was:
0.002502000 seconds] [iRTT: 0.000587000 seconds] [Timestamps] [Time since first frame in this TCP stream: 0.003095000 seconds] [Time since previous frame in this TCP stream: 0.002502000 seconds]
Добрый день!
В наличии Microsoft Exchange Server 2013 CU8 с установленным на нем СКЗИ «КриптоПро CSP» 3.9 (лицензионный). У почтовика есть веб-интерфейс для работы с почтой — Outlook Web Access (версия среды CLR .NET v4.0). При попытке подменить в IIS Windows-сертификаты на ГОСТовские начальная страница и OWA открываются, но после ввода логина и пароля выскакивает «;) что то пошло не так», а в журнале «Приложение» в огромном количестве фиксируются следующие ошибки:
Имя журнала: Application
Источник: MSExchange Front End HTTP Proxy
Дата: 25.03.2015 23:45:08
Код события: 1003
Категория задачи:Core
Уровень: Ошибка
Ключевые слова:Классический
Пользователь: Н/Д
Описание:
[Owa] An internal server error occurred. The unhandled exception was: System.NotSupportedException: Алгоритм ключа сертификата не поддерживается.
в System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
в Microsoft.Exchange.HttpProxy.FbaModule.ParseCadataCookies(HttpApplication httpApplication)
в Microsoft.Exchange.HttpProxy.FbaModule.OnBeginRequestInternal(HttpApplication httpApplication)
в Microsoft.Exchange.HttpProxy.ProxyModule.<>c__DisplayClass8.<OnBeginRequest>b__7()
в Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)
В Exchange Server 2010 (версия среды CLR .NET v2.0) с которого мигрировала наша компания HTTPS по ГОСТовским сертификатам отлично работал. А сейчас вылетает ошибка «алгоритм ключа сертификата не поддерживаетеся».
На форуме Microsoft предложили дополнительно на сервер поставить КриптоПро .NET. Поставил, перезагрузился. Теперь после ввода имени пользователя и пароля в OWA появляется страница со следующим содержимым:
Ошибка сервера в приложении ‘/owa’.
Ссылка на объект не указывает на экземпляр объекта.
Описание: Необработанное исключение при выполнении текущего веб-запроса. Изучите трассировку стека для получения дополнительных сведений о данной ошибке и о вызвавшем ее фрагменте кода.
Сведения об исключении: System.NullReferenceException: Ссылка на объект не указывает на экземпляр объекта.
Ошибка источника:
Необработанное исключение при выполнении текущего веб-запроса. Информацию о происхождении и месте возникновения исключения можно получить, используя следующую трассировку стека исключений.
Трассировка стека:
[NullReferenceException: Ссылка на объект не указывает на экземпляр объекта.]
Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication) +671
Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer) +2507
Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy() +19
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate() +402
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon) +1879
Microsoft.Exchange.HttpProxy.<>c__DisplayClass3f.<OnCalculateTargetBackEndCompleted>b__3e() +689
Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate) +40
Microsoft.Exchange.HttpProxy.Diagnostics.SendWatsonReportOnUnhandledException(MethodDelegate methodDelegate, LastChanceExceptionHandler exceptionHandler) +376
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(MethodDelegate method) +126
[AggregateException: Произошла одна или несколько ошибок.]
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.EndProcessRequest(IAsyncResult result) +1062
System.Web.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar) +282
Информация о версии: Платформа Microsoft .NET Framework, версия:4.0.30319; ASP.NET, версия:4.0.30319.34212
При этом в журнале «Система» регистрируются в огромном количестве следующие 2 события:
Имя журнала: System
Источник: Schannel
Дата: 26.03.2015 23:42:15
Код события: 36874
Категория задачи:Отсутствует
Уровень: Ошибка
Ключевые слова:
Пользователь: СИСТЕМА
Описание:
Получен запрос на подключение TLS 1.0 от удаленного клиентского приложения, но ни один из поддерживаемых этим приложением комплектов шифров не поддерживается сервером. Запрос на подключение SSL завершился с ошибкой.
Имя журнала: System
Источник: Schannel
Дата: 26.03.2015 23:42:15
Код события: 36888
Категория задачи:Отсутствует
Уровень: Ошибка
Ключевые слова:
Пользователь: СИСТЕМА
Описание:
Оповещение о неустранимой ошибке было создано и отправлено удаленной конечной точке. Это может привести к разрыву соединения. Определенный в протоколе TLS код оповещения о неустранимой ошибке: 40. Состояние ошибки Windows SChannel: 1205.
В журнале «Приложение»:
Имя журнала: Application
Источник: MSExchange Front End HTTP Proxy
Дата: 26.03.2015 23:44:56
Код события: 1003
Категория задачи:Core
Уровень: Ошибка
Ключевые слова:Классический
Пользователь: Н/Д
Описание:
[Owa] An internal server error occurred. The unhandled exception was: System.NullReferenceException: Ссылка на объект не указывает на экземпляр объекта.
в Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon)
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass3f.<OnCalculateTargetBackEndCompleted>b__3e()
в Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)
Имя журнала: Application
Источник: ASP.NET 4.0.30319.0
Дата: 26.03.2015 23:44:56
Код события: 1309
Категория задачи:Web Event
Уровень: Предупреждение
Ключевые слова:Классический
Пользователь: Н/Д
Описание:
Event code: 3005
Event message: Возникло необработанное исключение.
Event time: 26.03.2015 23:44:56
Event time (UTC): 26.03.2015 18:44:56
Event ID: 7fab21f1396b4e839d44494ef2061f00
Event sequence: 132
Event occurrence: 117
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT/owa-3-130718689387844346
Trust level: Full
Application Virtual Path: /owa
Application Path: C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowa
Machine name: XXXXXXXX
Process information:
Process ID: 2684
Process name: w3wp.exe
Account name: NT AUTHORITYСИСТЕМА
Exception information:
Exception type: NullReferenceException
Exception message: Ссылка на объект не указывает на экземпляр объекта.
в Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon)
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass3f.<OnCalculateTargetBackEndCompleted>b__3e()
в Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)
в Microsoft.Exchange.HttpProxy.Diagnostics.SendWatsonReportOnUnhandledException(MethodDelegate methodDelegate, LastChanceExceptionHandler exceptionHandler)
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(MethodDelegate method)
Request information:
Request URL: https://localhost:443/OWA/auth.owa
Request path: /OWA/auth.owa
User host address: 127.0.0.1
User: POFOMSHealthMailbox6183c25
Is authenticated: True
Authentication Type: Basic
Thread account name: NT AUTHORITYСИСТЕМА
Thread information:
Thread ID: 64
Thread account name: NT AUTHORITYСИСТЕМА
Is impersonating: False
Stack trace: в Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon)
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass3f.<OnCalculateTargetBackEndCompleted>b__3e()
в Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)
в Microsoft.Exchange.HttpProxy.Diagnostics.SendWatsonReportOnUnhandledException(MethodDelegate methodDelegate, LastChanceExceptionHandler exceptionHandler)
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(MethodDelegate method)
На форуме Microsoft утверждают, что «виновато» программное обеспечение КриптоПро и что в КриптоПро есть некие настройки, изменив которые все (HTTPS в OWA по ГОСТовскому сертификату) чудесным образом заработает. Так ли это? И если это так, то что и где следует мне настроить?