Schannel 36871 windows 10
Добрый день! Уважаемые читатели и гости крупного IT блога Pyatilistnik.org. В прошлый раз мы с вами научились ремонтировать ваше оборудование в операционных системах Windows, у которых был статус ошибки «Запуск этого устройства невозможен. (код 10)». Двигаемся дальше и мы рассмотрим ситуацию, когда у вас на компьютере или сервере в журналах событий, фиксируется ошибка «Schannel ID 36887: С удаленной конечной точки получено оповещение о неустранимой ошибке. Определенный в протоколе TLS код оповещения о неустранимой ошибке: 40«. Мы рассмотрим на сколько критичны данные события и стоит ли на них обращать внимание.
Описание ошибки Schannel 3688
И так я проводил оптимизацию своей RDS фермы, кто не помнит, то в последнем посте я производил удаление неактивных портов TS. После после выполненной оптимизации я перезагрузил RDSH сервер и стал мониторить наличие новых и старых ошибок. Мое внимание привлекла ошибка из системного журнала логов Windows.
Что такое Secure Channel
Schannel означает Secure Channel — библиотека, криптографический провайдер (Security Support Provider — SSP) — Защищенный канал, который содержит набор протоколов безопасности, которые обеспечивают зашифрованную идентификацию и безопасную связь. Пакет используется программным обеспечением, использующим встроенные SSL и TLS, в том числе IIS, Active Directory, OWA, Exchange, Internet Explorer и Центр обновления Windows.
Как избавиться от ошибки Schannel 36887
Далее нам необходимо понять, что это за процесс, для этого откройте командную строку или окно PowerShell и введите команду:
В результате мы видим отфильтрованный вывод всех процессов у которых в ID встречается 696. Оказывается, что 696 ID имеет процесс lsass.exe, системный процесс Windows, но тут может быть и другой процесс, например, geforce experience, удалив который или обновив, вы избавитесь от ошибки 36887. Но в моем случае, это lsass.exe.
Я стал искать закономерности в работе данного сервера и мне удалось ее обнаружить. Теперь я точно определил, когда происходят эти события в Schannel. Они возникают только тогда, когда я пытаюсь получить безопасное подключение к интернет-банкингу службы одного конкретного банка. Они не возникают, когда я пытаюсь получить безопасное соединение с любым другим онлайн-сервисом. Похоже, что-то пошло не так во время обмена рукопожатиями SSL/TLS. В таком случае вы можете поступить двумя путями:
Правильный метод
На время пока у вас идет общение с представителями клиент-банка, вы можете в реестре Windows запретить журналирование для данного события. Для этого откройте ветку:
- 0 — не записывать в журнал
- 1 — записывать в журнал ошибок
- 2 — записывать в журнал предупреждений
- 3 — Журнал информационные и успешные события
После внесения ключа реестра, может потребоваться перезагрузка компьютера или сервера.
Более грубый метод
Чтобы отключить в системе появление событий Schannel ID 3688 вам необходимо открыть ваш браузер Internet Explorer 11 и перейти в раздел «Свойства браузера»
Далее идем на вкладку «Дополнительно», где выключаем пункт «Использовать TLS 1.2», что не совсем правильно с точки зрения безопасности. Перезапускаем браузер и пользуемся своим клиент-банком.
Build 19592 Schannel Event ID 36871
Noticed a lot of Schannel errors since installing the update on my notebook. The message is:
The hasn’t been anything new installed
Sony Vaio SVS1512Z9EB. The HDD is a installed in place of the DVD and my second system. The main system is on a 1GB SSD, current public build
* Please try a lower page number.
* Please enter only numbers.
Try the solution offered here.
Was this reply helpful?
Sorry this didn’t help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
thank you for the reply. I had read both threads before posting and tried the second, with no change.
Thought the first one related to Servers only. Will try when I get a chance this afternoon.
Remember this happening on one of my PC’s before, where I was told to ignore it and hide the Schannel errors in Event Viewer!
My name is John H Batie, during the time when Gabe Aul and I was communicating I created the first updates for the «Hash» registry file «Schannel.» These changes I made are working very well — if you would like a copy, I can only E-mail the copy.
You can’t e mail people on the forum.
Information found in these Microsoft Docs may be of help in determining/resolving the issue with Schannel Errors.
Do not give your email address to anyone online that you do not personally know.
You may post the details to this thread which will help members facing the same issue. Thank you.
Edit: Been done in past for log files.
2 people found this reply helpful
Thanks, I don’t give my address to anyone.
In regards to the problem, checked all my Insider PC’s and the settings mentioned in the both links are all identical. Some of them are not configured at all. This is why I’m sure they are for Server/Clients.
The problem must lay elsewhere.
The Public install on the Vaio has the same settings — no error messages
Smart not to give it out.
More information on Event ID 36871:
Scroll down to read the details regarding Error 36871 in this Microsoft Document. It does state, «This is an erroneous Event Log entry. You can safely ignore this message. To prevent this log entry you must supply a certificate to the SMTP site.»
I have been dealing with this situation since the last flight 19587.1000.rs.
I have found out through trial and error. That yes it is server/client somewhere.
BUT I have also noticed that every time I opened Computer Management to check the event viewer. It would take around 2+ minutes to populate the history of events. When I double clicked any 1 of those events for details it would take 1+ minutes till the display of said details. I have read that this flight was compiled using AI. I have reported this error using the Feedback Hub with no reply as of yet.
Error detail: System Error Schannel event id: 36871 A fatal error occued while creating a TLS client credential, The internal error state is 10013.
Microsoft needs to check/fix this. There are some computer services that I could not adjust/start/stop at all.
Schannel Events
Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows 8
This topic for IT professionals lists the event details for the Secure Channel (Schannel) security support provider, and it describes the actions available to you to resolve problems.
To configure event logging for this provider, see How to enable Schannel event logging.
Event ID 36886: No Suitable Default Server Credential Exists on This System
How to enable Schannel event logging
You can use this registry setting to enable the logging of client certificate validation failures, which are events generated by the Schannel security support provider. Logging of client certificate validation failures is a secure channel event, and is not enabled on the server by default
The logging of rejected or discarded authentication events is enabled by default.
Registry path: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL
You can enable additional secure channel event logging by changing the registry key value from 1 (REG_DWORD type, data 0x00000001) to 3 (REG_DWORD type, data 0x00000003).
The Schannel Security Package has Loaded Successfully
This event is logged first whenever the Schannel.dll is successfully loaded into memory on the client computer or server. If it is unsuccessful, Event ID 36866: The Schannel Security Package Has Failed to Load will be logged.
Details
Product Windows operating system
The cryptographic subsystem is composed of a software library that contains one or more independent cryptographic service providers (CSP). These providers implement cryptographic algorithms and standards. To load successfully, they must be digitally signed and the signature must be verified.
If a CSP cannot be accessed or fails to load during the authentication process, for whatever reason, the process will stop.
6.2 Symbolic Name Message Type: Error
The Schannel Security Package Has Failed to Load
This event is logged when the Schannel.dll fails to load into memory on the client computer or server. If successful, Event ID 36864: The Schannel Security Package has Loaded Successfully will be logged.
Source Windows operating system
Investigate whether enough memory is available to load Schannel.dll and all the dependent files.
Creating an SSL (client or server) Credential
6.2 Symbolic Name Message Type: Informational
The SSL (client or server) Credential’s Private Key Has the Following Properties
The client computer sends a client key exchange message after computing the premaster secret that uses the two random values that are generated during the client hello message and the server hello message. Before it is transmitted to the server, the premaster secret is encrypted by the public key from the server’s certificate. Both computers compute the master secret locally and derive the session key from it.
If the server can decrypt this data and complete the protocol, the client computer is assured that the server has the correct private key. This step is crucial to prove the authenticity of the server. Only the server with the private key that matches the public key in the certificate can decrypt this data and continue the protocol negotiation.
The client key exchange message includes the client computer’s protocol version and the premaster secret.
— CSP name — CSP type — Key name — Key type — Key flags
The SSL (client or server) Credential’s Certificate Does Not Have a Private Key Information Property Attached to it
The handshake protocols of TLS/SSL are responsible for establishing or resuming secure sessions. One of the goals of the handshake process is to authenticate the server to the client computer, and optionally, authenticate the client to the server through certificates and public or private keys.
In private (symmetric) key encryption, the same key is used to encrypt and decrypt the message. If two parties want to exchange encrypted messages securely, they must both possess a copy of the same symmetric key.
Frequently, this issue occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
This event can indicate that there is a problem with the server certificate on the system that is logging the event. The error is typically logged when a service (for example, LSASS on a Domain Controller) has attempted to load and verify the private and public key pair of the server certificate and that either of these operations has failed which makes the service unable to use that certificate for SSL encryption.
— Incorrect ACL’s on the MachineKeys folder on the system disk — The server certificate failed revocation checking — The system account was unable to download any of the CRL’s that were stamped on all the certificates in the certificate chain. — The system cannot build a certificate chain up to a trusted root CA for the server certificate — The server certificate was in a format that was usable by the component, for example, the Subject or the Subject Alternate Name (SAN) of the certificate instead of a SAN DNS name that matches the DNS name of the domain controller . — The server certificate was expired.
This behavior is caused by the SMTP service processing an incoming EHLO command if no certificate is assigned to an SMTP site. This message is logged twice, once when the SMTP service starts, and once when the first EHLO command is received.
Simple Mail Transfer Protocol (SMTP) controls how email is transported and then delivered across the Internet to the destination server. The SMTP EHLO command enables the server to identify its support for Extended Simple Mail Transfer Protocol (ESMTP) commands.
No Suitable Default Server Credential Exists on this System
This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as Internet Information Services (IIS), are not affected by this. This is a warning event.
This event is logged when a server application (for example, Active Directory Domain Services) attempts to perform a Secure Sockets Layer (SSL) connection, but no server certificate is found. Server certificates are either enrolled for by hand or are automatically generated by the domain’s enterprise Certification Authority (CA).
6.2 Symbolic Name Message Type: Warning
In domains where an enterprise CA exists, you can either enroll a server certificate manually or configure the domain’s enterprise Certification Authority (CA) to automatically generate the certificate.
No Supported Cipher Suites Were Found When Initiating an SSL Connection
A cipher suite is a collection of authentication, encryption, and message authentication code (MAC) algorithms used to negotiate the security settings for a network connection using the network protocols encompassed in the Schannel security support provider.
This error message reports that the SSL connection request has failed.
The reason for this is that no supported cipher suites were found when initiating an SSL connection. This indicates a configuration problem with the client application or the installed cryptographic modules.
For information about what cipher suites are available, see Supported Cipher Suites and Protocols in the Schannel SSP.
An SSL Connection Request Was Received From a Remote Client Application, But None of the Cipher Suites Supported by the Client Application Are Supported by the Server
This error message could occur when the client application, such as a web browser is using a version of the SSL protocol not supported on the server, causing the connection cannot be made.
Investigate the values listed under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols.and verify that they include those versions used by the server.
The Remote Server Has Requested SSL Client Authentication, But No Suitable Client Certificate Could Be Found
In response to the client hello message, the server requested SSL client authentication. Because the client did not possess a suitable certificate, the connection process will proceed by attempting an anonymous connection. In this scenario, which has security vulnerabilities, both client and server do not get authenticated and no credentials are needed to establish an SSL connection.
The Certificate Received From the Remote Server Has Not Validated Correctly
Certificates are issued with a planned lifetime and explicit expiration date. A certificate may be issued for one minute, thirty years or even more. Once issued, a certificate becomes valid once its validity time has been reached, and it is considered valid until its expiration date. However, various circumstances might cause a certificate to become invalid prior to the expiration of the validity period. Such circumstances include change of name, change of association between subject and CA (for example, when an employee terminates employment with an organization), and compromise or suspected compromise of the corresponding private key.
This issue occurs because LDAP caches the certificate on the server. Although the certificate has expired and the server receives a new certificate from a CA, the server uses the cached certificate, which is expired. You must restart the server before the server uses the new certificate.
The Certificate Received From the Remote Client Application Has Not Validated Correctly
If this was a self-signed certificate then you would need to import the certificate into the trusted root certificate store. If this certificate was issued from a Certification Authority (CA) then you will need to import the root CA certificate into the trusted root certificate store.
The Certificate Received From the Remote Client Application Is Not Suitable for Direct Mapping to a Client System Account, Possibly Because the Authority that is Issuing the Certificate Is Not Sufficiently Trusted
The negotiated cryptographic parameters are protocol, cipher, cipher strength, MAC, exchange, and exchange strength.
The Certificate Received From the Remote Server Has Expired
The Schannel provider creates the list of trusted certification authorities by searching the Trusted Root Certification Authorities store on the local computer. When Schannel detects a certificate that was issued by an untrusted certification authority, this error is logged.
The Certificate Received From the Remote Server Has Been Revoked
The server certificate contains the name of the server, which must match that which is contained in one of the certificates on the client computer. If the certificate name differs between the fully qualified domain name (FQDN) and the local server name, the connection will fail.
When Asking for Client Authentication, This Server Sends a List of Trusted Certificate Authorities to the Client.
The server uses the Transport Layer Security (TLS)/SSL protocol to encrypt network traffic.
Client certificates are required for authentication during the authentication handshake process.
This list of trusted certification authorities represents the authorities from which the server can accept a client certificate. To be authenticated by the server, the client must have a certificate that is present in the chain of certificates to a root certificate from the server’s list.
The Schannel provider creates the list of trusted certification authorities by searching the Trusted Root Certification Authorities store on the local computer. Every certificate that is trusted for client authentication purposes is added to the list, which is restricted by size limits. If the size of this list exceeds the maximum in bytes, the Schannel logs Warning event ID 36855. Then, Schannel truncates the list of trusted root certificates and sends this truncated list to the client computer. When the client computer receives the truncated list of trusted root certificates, the client computer might not have a certificate that exists in the chain of a trusted certificate issuer.
If the server’s certificate wasn not generated by a CA, one must be individually generated or installed on the server in order for the client computer to connect successfully.
A Fatal Alert Was Received
This alert message indicates this computer received a TLS or SSL fatal alert message from the server it was communicating or negotiating with. The error indicates a state in the communication process, not necessarily a problem with the application. However, the cause could be how the application, such as a web browser, handled the communication.
The desktop app, using SCHANNEL_ALERT_TOKEN, generates a SSL or TLS alert to be sent to the target of a call to either the InitializeSecurityContext (Schannel) function or the AcceptSecurityContext (Schannel) function. The two alert types are warning and fatal. With a fatal error, the connection is closed immediately.
Event Details
6.2 Symbolic Name SSLEVENT_RECEIVE_FATAL_ALERT
A Fatal Alert Was Generated
This event indicates that this computer (the computer that logs this event) has detected an error condition and generated a fatal alert to notify the other party about it.
The server is a WSUS and I have SSMS installed to manage WSUS backend.
The error does not give me any detail as to what is causing it to come up. What I am trying to figure out is how can I tell what this error is specifically tied to or what is actually failing.
Any ideas are greatly appreciate.
Windows 10 schannel ошибка 36871
We recently moved to SCOM 2019 since then we have been receiving the below errors in the System event logs on all of the SCOM management servers.
Event ID: 36871Event Source: SchannelDescription: A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
kindly assist us on this.
3 Answers
Do you see this event in the System Log? What makes you think that it is related to SCOM? What TLS Version is currentl configured:
Can you please go over this post and see if this is also helpful:
Please check those out and I am pretty sure that those will help you.
(If the reply was helpful please don’t forget to upvote and/or accept as answer, thank you)
Как исправить ошибку SChannel 36887?
При просмотре журнала событий можно обнаружить много записей ошибки Schannel с кодом 36887. Она сопровождается сообщением, что с удаленной конечной точки получено оповещение о неустранимой ошибке 42. По сути, SChannel — это набор протоколов безопасности, который обеспечивает реализацию механизмов аутентификации и защищенной связи между вовлеченными узлами.
Причины ошибки
С ошибкой SChannel 36887 можно столкнуться по ряду причин:
Создание параметра EventLogging в системном реестре
К ошибке SChannel 36887 с кодом 42 часто приводит отсутствие раздела реестра, в котором система сможет сбрасывать подобные события. В этом случае с помощью Редактора реестра нужно создать параметр EventLogging внутри раздела SecurityProviders / Schannel. Этот способ эффективен в версиях Windows Server.
Откройте Редактор реестра командой regedit из окна Win + R. При отображении запроса от контроля учетных записей пользователей щелкните на кнопку «Да», чтобы предоставить права администратора.
В левой панели перейдите к следующей локации:
Дважды щелкните на созданном параметре и в поле Значение установите «1». Сохраните изменения на «ОК», и перезагрузите компьютер.
Удаление пакета KB3161606
Одной из распространенных причин, вызывающую ошибку Schannel 36887, является пакет обновления KB3161606, который отключает шифрование TLS 1.0. Этот протокол является устаревшим, но некоторые приложения все еще его используют. Чтобы обратно включить TLS 1.0, отмените обновление и заблокируйте его повторную установку.
Откройте мастера восстановления системы командой rstrui из окна Win + R.
В первом окне нажмите кнопку «Далее», затем отметьте флажком опцию показать другие точки восстановления.
В следующем окне нажмите на кнопку «Готово», чтобы запустить операцию возврата системы к предыдущему состоянию. Компьютер перезагрузится и все изменения, внесенные после создания точки восстановления, включая пакет KB3161606, будут отменены.
Если остановитесь на этом шаге Windows автоматически переустановит обновление, которое снова отключит шифрование TLS 1.0. Чтобы этого избежать, нужно скрыть это обновление.
Для этого сделайте запрос в интернете «wushowhide.diagcab», и с официального сайта Майкрософта загрузите средство для скрытия обновлений.
После двойным щелчком мыши откройте утилиту и нажмите на «Дополнительно», чтобы включить автоматическое применение исправлений.
Перейдите к следующему экрану, дождитесь завершения начального сканирования, затем щелкните на кнопку «Скрыть обновление». Установите флажок напротив обновления KB3161606 и перейдите к следующему окну. Подождите до завершения операции, затем перезапустите компьютер.
Удаление антивируса ESET
Как известно, антивирус ESET Antivirus Endpoint блокирует устаревший протокол шифрования TLS 1.0. Если установлены программы, которые используют старую технологию, нужно удалить ESET. Имейте в виду, что отключение в реальном времени не будет работать, поскольку блокировка применяется на уровне брандмауэра.
Если удастся исправить ошибку SChannel 36887, рассмотрите возможность установки другого антивируса или активируйте Защитника Windows.
Перейдите в раздел «Программы и компоненты» командой appwiz.cpl из окна Win + R.
Найдите в списке ESET Antivirus Endpoint, щелкните на него правой кнопкой мыши и выберите «Удалить».
После перезапустите компьютер и проверьте, решена ли проблема.