Hourly fatal windows alert

Question

On one of my windows server 2012 R2 (going to upgrade), my event logger has been filled with

• Event ID 36887 A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40. with Source Schannel

It occurs approximately every hour (+/- tens of seconds) and first logged on 11/10/2022 at 1PM. Last windows update occurred on 11/9/2022.

Its popping under Windows Logs > System.

I also noted similar errors on 11/8/2022

• Event 36882 The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate. with Source Schannel

• Event 36888 A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 48. The Windows SChannel error state is 552. with Source Schannel

Another noted pattern a few seconds before every Event ID 36887 would be

• Event 7036 The WinHTTP Web Proxy Auto-Discovery Service service entered the running state. from Source Service Control Manager

I tried stopping and starting WinHTTP and any dependent services to see if I can reproduce the error but to no avail. I also used Wireshark to monitor connections during the failure time. The closest match I found was 20.121.85.115 (a Microsoft IP) with fatal alert (Handshake failure).

I believe some hourly Windows Service is calling some Microsoft IP with an invalid SSL certificate. I just can't tell what.

Any ideas how to resolve this error?

Answer 1

You can get more information about untrusted certificates by enabling the CAPI log. The log is disabled by default and you can right-click on it to enable the log.

Applications and Services/Microsoft/Windows/CAPI2/Operational

It will usually have the certificate subject name and fingerprint. A sample is below.

It may be possible that a certificate issued from a newer Microsoft CA is used, and your host does not have the updated Root or Intermediate CA certificates installed.

Windows attempts to download new or updated certificates automatically. If that is disabled (Turn off Automatic Root Certificates Update) or access is blocked, it may be necessary to download the certificates and put them on a share for auto updating.

Configure Trusted Roots and Disallowed Certificates
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)

Certutil can be used to download the certificates for populating a network share for distribution by Group Policy.

Certutil -syncWithWU \\Server1\CTL

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
    <EventID>30</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>30</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000001</Keywords>
    <TimeCreated SystemTime="2022-11-18T14:15:15.4126330Z" />
    <EventRecordID>26</EventRecordID>
    <Correlation ActivityID="{bfcbf0f2-f4ee-0002-66f1-cbbfeef4d801}" />
    <Execution ProcessID="636" ThreadID="14532" />
    <Channel>Microsoft-Windows-CAPI2/Operational</Channel>
    <Computer>XXX</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <UserData>
    <CertVerifyCertificateChainPolicy>
      <Policy type="CERT_CHAIN_POLICY_MICROSOFT_ROOT" constant="7" />
      <Certificate fileRef="AD81722A9E0E6394748343D025887D9285AE95D9.cer" subjectName="cxcs.microsoft.net" />
      <CertificateChain chainRef="{73D8FB26-4CD0-4E8D-BBCE-1095FA7EC749}" />
      <Flags value="0" />
      <Status chainIndex="0" elementIndex="2" />
      <EventAuxInfo ProcessName="lsass.exe" />
      <CorrelationAuxInfo TaskId="{D6FE4576-970E-4588-B77A-718E2027EFF0}" SeqNumber="1" />
      <Result value="800B0109">A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.</Result>
    </CertVerifyCertificateChainPolicy>
  </UserData>
</Event>