Clearing up Event 36887 – Schannel The following fatal alert was received: 48


Schannel errors in Event Viewer tend to be really unhelpful.  From MSDN, Error 48 indicates TLS1_ALERT_UNKNOWN_CA  SEC_E_UNTRUSTED_ROOT  0x80090325 so most likely due to a self-signed, or internal CA signed certificate on the host in question.  But it doesn’t indicate which client computer is triggering the error.

However, you can get fairly precise time out of the XML view under the details tab (TimeCreated SystemTime gives the time with lots of decimal places making it way easier to find the offending traffic in a network capture.


To find it in Wireshark, change the Time Display Format to  “Date and Time of Day” in the View Menu (Ctrl+Alt+1) and filter by “ssl”  The timestamps aren’t identical (plus the event log entry isn’t adjusted to the local timezone), but it’s close enough that you shouldn’t have trouble finding it.  The particular traffic I was seeing looked like this.

2014-06-11 12:00:25.774832 TLSv1 73 Alert (Level: Fatal, Description: Unknown CA)

The first IP above ( is the remote client which is triggering the issue.  The second IP ( is the local machine.  Then just had to sort out adding the internal CA cert to the client machine. Fixed!



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: