SChannel Errors on SCOM Agent
Hi again!
If you`re setting up a new agent/ Gateway installation which cannot communicate with the Management Server it`s always a good idea to also check the System Event Log and check for SChannel errors like:
Event ID: 36874- TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
Event ID: 36888 - A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
If these is a case, let`s check the certificates more closely regarding the signature hash algorithm:
512 has severe incompatibility issues, if the AD Team has not implemented any workarounds for this on the servers & CA it will not work.. since TLS 1.2 does not support SHA 512 -> https://technet.microsoft.com/en-us/library/dd560644(v=WS.10).aspx
It`s not OS related directly.. it applies both to WS2008, WS 2012 +R2.. it`s a just the TLS 1.2 protocol design. The reason why SHA 512 is not supported, is that it can cause higher CPU usage. However you can enable this from the registry, if it should be needed in your environment:
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003
Type: REG_MULTI_SZ
Data: RSA/SHA512
There are also updates available kb2975719 and kb2975331 which address this issue, depending on the Operating System.
Here a further documentation on supported ciphers by Schannel/TLS 1.2, SHA 512 is not there :) So the workaround would be to create certificates based on SHA 384 or SHA 256
https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx
+Cipher Suite Definitions
https://tools.ietf.org/html/rfc5246#appendix-C
Comments
- Anonymous
January 01, 2003
awesome, thanks. - Anonymous
September 21, 2014
There is an update to this issue here;
http://answers.microsoft.com/en-us/windows/forum/windows_7-security/schannel-error-id-36874-and-36888/ae41effc-1b0a-4d55-be23-24835cd7a32e - Anonymous
August 05, 2015
The comment has been removed - Anonymous
December 04, 2015
I have started receiving this error after loading Service Pack 3 for SQL 2012. Now the SQL Agent can't start and it keeps saying that it can't connect to the server. I can connect to the server locally and see that it is up. When the SQL Agent fails to start it is throwing 2 sets of these TLS 1.2 errors in my System event log. I am not sure why service pack 3 seems to have done this...everything was working great before the update and the update said that it completed successfully. - Anonymous
January 10, 2016
I don't understand what exactly I'm supposed to change in registry.
Under that registry path I have a key called Functions with the following:
RSA/SHA512
ECDSA/SHA512
RSA/SHA256
RSA/SHA384
RSA/SHA1
ECDSA/SHA256
ECDSA/SHA384
ECDSA/SHA1
DSA/SHA1
And I'm still having those problems...- Anonymous
June 02, 2016
Hello, I have the same problem. Have you foud a solutuion? br, Aleksander
- Anonymous
- Anonymous
February 10, 2016
Do this error will cause all the IIS hosted website to recycle? - Anonymous
June 07, 2016
Don't forget that if your MS doesn't accept TLS 1.2 this won't work! Ensure you add the TLS 1.2 regkeys there too.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Serverdisabledbydefault = 0enabled = 1- Anonymous
July 27, 2016
The comment has been removed - Anonymous
February 16, 2017
The comment has been removed
- Anonymous
- Anonymous
November 03, 2016
Greath this has not been fixed in the Server 2016 edition (final release) we are seeing this on a RDS Gateway server this morning. - Anonymous
August 28, 2017
The comment has been removed