ControlUp KaaS SChannel Events

Issue

Various Schannel events in the System Log

Symptoms

There are three Schannel events that are most commonly seen. Those are 36874, 36887, and 36888.

Log Name: System
Source:      Schannel
Date:         13/05/2016 07:29:32
Event ID:    36888
Task Category: None
Level:         Error
User:          SYSTEM
Computer:   CUXEN65TS20.controlUp.demo
Description: The following fatal alert was generated: 10. The internal error state is 12.

Troubleshooting/Research Steps

Secure Channel, also known as Schannel, is a security support provider (SSP) that contains a set of security protocols that provide identity authentication and secure, private communication through encryption. Schannel is primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communication.

These errors indicate a problem with the cipher suite chosen, or just the fact that the two sides (client and server) cannot agree on a cipher suite to use. The error message description will vary depending on the actual error involved.

Event IDs 36888, 36874 can be caused by certificate/TLS communication issues (like lack of compatibility)

Event ID 36887 indicates an SSL fatal alert. The error itself is vague. This may be logged if you try to initiate an HTTP connection to an HTTPS server, or if the server is being probed or scanned for vulnerabilities.

Similar to other Windows Events problems, the ControlUp Incidents pane is an excellent place to start troubleshooting application errors such as this. Start by double-clicking on the ‘Windows Events’ row in order to get to the 2^nd level.

Once there, we want to group and sort in order to group all events from Schannel, so we type ‘channel’ in the filter box in the upper right corner. Grouping by the Event ID can be useful if there are a lot of errors, so we check that box. We clicked the ‘Computer’ column header to sort the list and make it easier to find what we’re looking for.

Now that we have grouped just the events we are interested in. double-click on that line takes us to the 3^rd level, which will give us a list of every event captured by the Incident Trigger that meets the grouping of the previous screen. You can read through the list here, or export the entire table into Excel using the button at the top in order to further analyze the data, find patterns, make reports, etc.

For these errors, Wireshark and Fiddler are going to be the best sources of more in-depth information to get to the root cause of the specific message.

If the issue cannot be solved, or the error is expected, there is always the option of turning off Schannel logging altogether by setting EventLogging=0 (dword), under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL. Hiding the log is not a good security practice, however, it is an option. See https://support.microsoft.com/en-us/kb/260729 for more information.