ControlUp KaaS SChannel Events

  • Updated on Sep 7, 2025
  • Published on Oct 5, 2021
  • 2 minute(s) read
Prev Next

Issue

Various Schannel events in the System Log.

Symptoms

The most commonly seen Schannel events are 36874, 36887, and 36888.

Log Name: System
Source:      Schannel
Date:         13/05/2016 07:29:32
Event ID:    36888
Task Category: None
Level:         Error
User:          SYSTEM
Computer:   CUXEN65TS20.controlUp.demo
Description: The following fatal alert was generated: 10. The internal error state is 12.

Troubleshooting/Research Steps

Secure Channel, also known as Schannel, is a security support provider (SSP) that contains a set of security protocols that provide identity authentication and secure, private communication through encryption. Schannel is primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communication.

These errors indicate a problem with the cipher suite chosen, or just the fact that the two sides (client and server) cannot agree on a cipher suite to use. The error message description will vary depending on the actual error involved.

Event IDs 36888 and 36874 might be caused by certificate/TLS communication issues, such as lack of compatibility.

Event ID 36887 indicates an SSL fatal alert. The error itself is vague. This might be logged if you try to initiate an HTTP connection to an HTTPS server, or if the server is being probed or scanned for vulnerabilities.

Similar to other Windows Events problems, the ControlUp Incidents pane is the best place to start troubleshooting application errors such as this. Double-click on the Windows Event rows to drill down to the event level.

Windows Event row selected

Once there, we want to group and sort in order to group all events from Schannel, so we type "channel" in the filter in the upper right corner. Grouping by the Event ID can be useful if there are a lot of errors, so we check that box. We clicked the Machine column header to sort the list and make it easier to find what we’re looking for.

Now that we have grouped just the events we are interested in, double-click on that line to drill down further, which will give us a list of every event captured by the Trigger that meets the grouping of the previous screen. You can read through the list here, or export the entire table into Excel using the button at the top in order to further analyze the data, find patterns, make reports, etc.

For these errors, Wireshark and Fiddler are going to be the best sources of more in-depth information to get to the root cause of the specific message.

If the issue cannot be solved, or the error is expected, there is always the option of turning off Schannel logging altogether by setting EventLogging=0 (dword), under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL

While hiding the log is not a good security practice, it is an option. See https://support.microsoft.com/en-us/kb/260729 for more information.