10

I've searched online, but am unable to find any information; why this error is occurring?

It has flooded my Event Viewer: with an interval of 1 minute, this Error keeps popping up. (i.e. the frequency is 1 minute)

I don't have any IIS installed.

This server is purely a Domain controller and no other role has been added.

Please suggest what should I do?

Server OS - Window Server 2008 R2 Standard Edition.

More details:

Log Name:      System
Source:        Schannel
Date:          6/28/2012 6:06:11 PM
Event ID:      36888
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      QKSRVDC212.Corp.abc.com
Description:
The following fatal alert was generated: 10. The internal error state is 1203.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
    <EventID>36888</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2012-06-28T12:36:11.801245500Z" />
    <EventRecordID>9305</EventRecordID>
    <Correlation />
    <Execution ProcessID="524" ThreadID="3516" />
    <Channel>System</Channel>
    <Computer>QKSRVDC212.Corp.abc.com</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="AlertDesc">10</Data>
    <Data Name="ErrorState">1203</Data>
  </EventData>
</Event>
Jeroen
  • 149
  • 1
  • 9
Param
  • 1,347
  • 13
  • 34
  • 51

5 Answers5

2

I realize that you are not running IIS, but it appears other processes can cause this error message as well.

This might help:

http://social.technet.microsoft.com/Forums/en/winserverDS/thread/4c5430f5-43f6-41b4-97d3-03cfb3efa70b

1

Ran across this post while researching 36888 and 36874 events from SChannel on one of our Windows 2008 R2 servers. I decided to dig into KB2992611, mentioned in another answer.

36888 is a failed SSL conection request on TLS 1.2 - none of the cipher suites supported by the client app are supported by the server.

36874 error text: The following fatal alert was generated: 40. The internal error state is 1205.

Bottom line: OP predated KB2992611 by 2+ years. I don't think it is related to the OP issue. I don't think it's related to the events I'm seeing now, either.

Details:

KB2992611 (referenced in Microsoft Security Bulletin MS14-066) was a patch to fix a vulnerability in SChannel. The patch caused a lot of problems and was re-released along with a second update, 3018238, for Windows 2008 R2 and Windows Server 2012.

On our server, KB2992611 was installed back in 2014, as was the subsequent re-release.

Per KB2992611 4 cipher suites were added to 2008R2 and 2012:

[...]Some customers have reported an issue that's related to the addition of the following new cipher suites to Windows Server 2008 R2 and Windows Server 2012: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 [...]

At this point, we have no enabled TLS_DHE cipher suites, but the two mentioned TLS_RSA suites are Enabled.

While these errors are happening semi-regularly (not being flooded), they don't seem serious. I'm not going to spend anymore time worrying about them. My explanation is that someone is trying to access a server resource using a weak, disabled cipher suite, perhaps TLS_DHE_XXX.

mobill
  • 113
  • 1
  • 7
0

One of your certificates is most likely expired. Either deploy ADCS and make a new primary root certificate, or just delete the expired certificates and create new ones. Hope this helps.

0

I was running crazy looking for the same error message. I think I have fixed it. Here is what worked for me.

We have AD FS running on this server on 2012 R2. It is secured with an SSL certificate on port 443. The default website was also open on port 80. I went to my IIS Manager, opened the Default website, went into Bindings and simply removed binding for port 80.

Thank you user124890 to point me in the right direction.

Saeed Sheikh
  • 21
  • 1
  • 1
  • 6
-2

Nothing to so with expired certificates lol, its caused by a patch called KB2992611, you have to disable a couple of cipher suites. really easy to do in 2012, but not in 2008.

But yeah, nothing to do with expired certificates LOL

  • 1
    Your answer is over simplified and does not provide any information on how the OP should go about disabling the cipher suites. Please improve the quality of your answer by adding sources and/or providing more details. – John K. N. Oct 28 '16 at 11:31