On some 2008 R2 domain controllers that I manage I have noticed seveal events each week that are categorised as Error events, with the event 36887 & source Schannel.
The only information displayed is the message:
"The following fatal alert was received: 48."
Not much to see there, but when I expanded the Details section I found the Execution ProcessID matched up to the lsass.exe process ... so at least now we know we are dealing with the local security authentication server service ... and on a domain controller this means domain clients are also being authenticated via this service.
Some searching & I found a reference for the error numbers: http://msdn.microsoft.com/en-us/library/ff476074(VS.85).aspx
... so error number 48 is defined as TLS1_ALERT_UNKNOWN_CA & further searching * it appears that the best explanation of these messages appearing in the domain controller logs is that there are clients that are presenting certificates that are not recognised by the domain controllers. If this is the case, then it appears to be a bit extreme to log them as Error events on the domain controller ...
* http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/dae11f0b-2d90-4da6-8c5b-27bc236f6441
Thursday, January 12, 2012
Subscribe to:
Posts (Atom)