Clearing up Event 36887 – Schannel The following fatal alert was received: 48

event36887-general

Schannel errors in Event Viewer tend to be really unhelpful.  From MSDN, Error 48 indicates TLS1_ALERT_UNKNOWN_CA  SEC_E_UNTRUSTED_ROOT  0x80090325 so most likely due to a self-signed, or internal CA signed certificate on the host in question.  But it doesn’t indicate which client computer is triggering the error.

However, you can get fairly precise time out of the XML view under the details tab (TimeCreated SystemTime gives the time with lots of decimal places making it way easier to find the offending traffic in a network capture.

event36887-details-xml

To find it in Wireshark, change the Time Display Format to  “Date and Time of Day” in the View Menu (Ctrl+Alt+1) and filter by “ssl”  The timestamps aren’t identical (plus the event log entry isn’t adjusted to the local timezone), but it’s close enough that you shouldn’t have trouble finding it.  The particular traffic I was seeing looked like this.

2014-06-11 12:00:25.774832 192.168.1.100 192.168.1.10 TLSv1 73 Alert (Level: Fatal, Description: Unknown CA)

The first IP above (192.168.1.100) is the remote client which is triggering the issue.  The second IP (192.168.1.10) is the local machine.  Then just had to sort out adding the internal CA cert to the client machine. Fixed!

Advertisements

Tags:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: