Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

Event ID= 36887, Schannel Fatal Alert Error 48

Active Directory, Domain, DNS, WINS, DHCP, SBS, New Releases.

Event ID= 36887, Schannel Fatal Alert Error 48

Postby guest » Mon Jan 09, 2012 3:39 pm

I have 2 Exchange Server with roles HUB+Client Access running NLB,

Both my Exchange 2010 servers running on Windows 2008 R2 are showing Event Id 36887 error on the system log. The source is schannel.

Everything works fine, but the error keeps coming.

I had check the workaround solution is disable the schannel event logging.

Any help to identify what is the root caused for this?
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 9540
Joined: Mon Nov 27, 2006 1:10 pm

Re: Event ID= 36887, Schannel Fatal Alert Error 48

Postby guest » Mon Jan 09, 2012 3:40 pm

“Schannel” indicates this error was SSL/TLS problem. Did you configure SSL on this server? If so, please check your SSL settings. You can refer to the article:

Managing SSL for a Client Access Server
http://technet.microsoft.com/en-us/libr ... 10795.aspx
How to Setup SSL on IIS 7
http://learn.iis.net/page.aspx/144/how- ... -on-iis-7/
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 9540
Joined: Mon Nov 27, 2006 1:10 pm

Re: Event ID= 36887, Schannel Fatal Alert Error 48

Postby guest » Fri Feb 10, 2012 3:55 pm

We had the same problem.
1. From the IIS log we found it is Mac user.
2. The Mac Outlook 2011 uses OWA with SSL checked.
3. It loges teh same error every 5 minitues.
4. It used to be in our cas01 and now it is CAS02. It depends on which cas server as primary server.

Finally, we found it is his key chain password.
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 9540
Joined: Mon Nov 27, 2006 1:10 pm

Re: Event ID= 36887, Schannel Fatal Alert Error 48

Postby chicagotech » Sun Apr 08, 2012 8:20 pm

Based on my research, there are many reasons can cause the Event ID 36887. However, for the error 48, this should be an SSL/TLS certificate related issue. This would be caused by – no root cert on the client for the certificate chain. Certificates in the wrong stores on the server machine.

I suggest you can check certificate chain and root CA certificate on your Exchange server. Make sure its trusted to the root and the server has the intermediate certificates installed. The following resources are for your reference:

Managing SSL for a Client Access Server
http://technet.microsoft.com/en-us/libr ... 10795.aspx

The following fatal alert was received: 48.
http://social.technet.microsoft.com/For ... 7c892e6dad

Schannel Fatal Alert Error 48
http://social.technet.microsoft.com/For ... de99604523

Schannel 36887 Fatal Alert Error 48
http://social.technet.microsoft.com/For ... bc236f6441
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6486
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Re: Event ID= 36887, Schannel Fatal Alert Error 48

Postby chicagotech » Sun Apr 08, 2012 8:20 pm

One of our engineer thinks it is something to do with Mac because we can see this log in IIS:



2012-02-12 00:00:05 10.0.5.215 POST /EWS/Exchange.asmx ;RC:7641e7c6-72ed-4f7f-9480-477e4f37e891;Init>>Conn:0,HangingConn:0,AD:30000/30000/0%,CAS:54000/53985/1%,AB:30000/30000/0%,RPC:36000/36000/0%,FC:1000/0,Policy:Unlimited2003Connections,Norm,Sub:5000/4;[C]Queues:0msec/Execute:0msec;SoapAction=m:GetFolder;Version=1;RpcC=2;RpcL=0;LdapC=0;LdapL=0;End(0ms)>>Conn:1,HangingConn:0,AD:30000/30000/0%,CAS:54000/53985/1%,AB:30000/30000/0%,RPC:36000/36000/0%,FC:1000/0,Policy:Unlimited2003Connections,Norm[Resources:(Mdb)Users+Database+1(Health:-1%,HistLoad:0),],Sub:5000/4; 443 NTDOMAIN\CHERIVAN 76.202.225.2 MacOutlook/14.13.0.110805+(Intel+Mac+OS+X+10.7.2) 200 0 0 484



I have checked all certificate installation and configuration. I don't see any problem and no user have any issues. I will send event log to you soon.
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6486
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Re: Event ID= 36887, Schannel Fatal Alert Error 48

Postby chicagotech » Sun Apr 08, 2012 8:20 pm

After checking the Event log you uploaded, I indeed found many errors with Event ID 36887 but without any further details.

Based on my further research, I found that for the Event ID 36887, it usually comes with a fatal alert number, some of them mean:

10 = TLS1_ALERT_UNEXPECTED_MESSAGE
20 = TLS1_ALERT_BAD_RECORD_MAC
46 = TLS1_ALERT_CERTIFICATE_UNKNOWN
48 = TLS1_ALERT_UNKNOWN_CA

48 errors are probably due to clients not trusting the root CA of the SSL cert issuer. Chances are, either the CA of the certificate the server is using isn't installed as a trusted root/issuer on the client machines connecting to it, or the server isn't sending the full chain to the client. This depends on if you are using an Internal CA or third party.

Thus, for this problem, we have to exactly determine which particular clients had an issue with their local certificates, however, this required further network tracing and hardly to be identified.

If the users are less, you can check if clients all have the Root CA Certificate in the Trusted Root Store. In particular for https/OWA clients.

As you mentioned, some MACs may be the culprit, based on our experience, Macintosh/MAC machines can indeed cause this issue. I suggest you can take those Macintosh machines out of the network for a test in case they were querying the Exchange Server using SSL then check if the error also appears.

In addition, these Event IDs also could be safely ignored from the server side as it’s caused by clients and will not cause any problem. You can also refer to the following article to set the EventLogging to 0x0004 then test if the error still exists.

How to enable Schannel event logging in IIS
http://support.microsoft.com/kb/260729/en-us


--------------------------------------------------------------------------------
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6486
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA


Return to Windows

Your Ad Here

Who is online

Users browsing this forum: Yahoo [Bot] and 9 guests