5

I get this error (event 36887 schannel The following fatal alert was received: 10.) on my Exchange Server 2010, running on Windows Server 2008 x64 Enterprise.

Here are the details of the error:

Log Name:      System 
Source:        Schannel 
Date:          1/16/2013 3:31:20 PM 
Event ID:      36887 
Task Category: None 
Level:         Error 
Keywords:       
User:          SYSTEM 
Computer:      xxx-exchsrv-xx.xxxxxxx.local 
Description: 
The following fatal alert was received: 10.


Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">    
  <System>
    <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
    <EventID>36887</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2013-01-16T21:31:20.270752700Z" />
    <EventRecordID>98196</EventRecordID>
    <Correlation />
    <Execution ProcessID="536" ThreadID="12" />
    <Channel>System</Channel>
    <Computer>xxx-exchsrv-xx.xxxxxxx.local</Computer>
    <Security UserID="x-x-x-xx" />
  </System>
  <EventData>
    <Data Name="AlertDesc">10</Data>
  </EventData>
</Event>

I can't find much related to that specific error. Help, please!

Thank you!

Mathias R. Jessen
  • 25,161
  • 4
  • 63
  • 95
George
  • 500
  • 4
  • 19
  • 40

2 Answers2

5

Do you receive these errors often (on a schedule?) and are you aware of any actual problems that coincide with their appearance? I ask because it's likely that you can safely ignore them or suppress them.

The error itself is quite vague. According to the TLS Protocol RFC, this indicates an unexpected message. Alert messages with a level of fatal result in the immediate termination of the connection. In this case, other connections corresponding to the session may continue, but the session identifier MUST be invalidated, preventing the failed session from being used to establish new connections.

This sounds truly problematic until you realize that it's likely that the machine attempting to establish the TLS connection likely tries again in a more agreeable fashion.

If you'd like to suppress the SChannel alerts, you can tweak the registry setting detailed in KB260729.

Update: Many times these are externally caused. You can generate a similar error by attempting to access your Outlook Web Access site in the following (invalid) manner --

http://mail.example.com:443/owa (note the use of http on port 443, NOT https)

If you check your event logs following this, you'll see a fatal alert 10 with internal error state of 1203. This is obviously nothing to be concerned about; it has everything to do with someone trying to access OWA incorrectly and nothing to do with a server misconfiguration.

pk.
  • 6,451
  • 2
  • 42
  • 63
  • I guess it would depend on a definition of often. I just looked and over last 30 days, it appeared 10 times and usually on the same day in a group of either 4s or 2s. Essentially back to back. And it happens at random days/times too. Some were about 3 weeks apart and some were about a week apart, different times. Nothing comes to mind, in terms of specific issues at those days/times. I suppose, I can suppress them. – George Feb 20 '13 at 17:38
1

how often do you have these errors? I have them sometimes, it jsut mean taht a ssl connection failed for whatever reason. Could be a client sending bad request or something else. I had the issue when a malformed imap connection was happening every 2 minutes.

If it doesnt happen very often i think you can just ignored them.

Alex
  • 131
  • 1
  • 11