SCHANNEL event logging
First, my thanks to Bhuvnesh Kumar for his help!
Time to figure out what's going on behind the curtain!
Are you seeing System Event Log, Event ID 36871 events?
Why does this matter?
Depending on OS versions and patches, the TLS Cipher Suites may not match on the various SCOM servers.
- If you're setting up TLS1.2, you need the SCOM servers to talk
- The bad part, is this isn't logged much on the GW but log more often on MS
- Sometimes the 36871 events come with 36874, but in my experience they occur after Event Logging is enabled.
The unanswered question is "why are we seeing the 36871 events?"
In my example, the events only happened once a day, roughly 24 hours
Are events related to the Cipher Suite, or is it a MP trying to run the old SQLOLEDB method?
This article will focus on verifying Cipher Suite on a server
See this article for MP analysis for SQL methods
SCHANNEL event logging setup
From Holman's blog
|0||Do not log|
|1||Log Error messages|
|3||Log Error and Warning messages|
|4||Log Informational and Success events|
|5||Log Error, Informational and Success events|
|6||Log Warnings, Informational and Success events|
|7||Log Everything (Warnings, Errors, Informational and Success events|
I’d recommend setting it to 3 to see errors and warnings, or 7 to see everything.
Remember to set this back to 1 when done resolving any issues.
From Command Prompt or PowerShell (as administrator)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "EventLogging" /t REG_DWORD /d 7 /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "EventLogging"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "EventLogging"
Time to reboot!
Verify SCHANNEL events
Look at the System Event log, and filter for 36880 and 36874 events for clues
36880 provides Cipher Suite details
Event ID 36874 definitely describes the scenario
The easy answer to solve the cipher suite is to ask - is this server patched with latest security and .NET patches?
After all this, in my example, we confirmed that simple step was assumed, and inaccurate.
36871 event https://technet.microsoft.com/en-us/library/dn786445(v=ws.11).aspx#BKMK_36871
SCHANNEL events https://technet.microsoft.com/en-us/library/dn786445(v=ws.11).aspx
SChannel error codes https://msdn.microsoft.com/en-us/library/windows/desktop/dd721886(v=vs.85).aspx
SChannel events https://technet.microsoft.com/en-us/library/dn786445(v=ws.11).aspx
SSL errors https://support.microsoft.com/en-us/help/305088/schannel-error-message-36871-when-receiving-an-ehlo-smtp-command