Making sense of Schannel Event ID 36882

If you have ever looked at Events logs of a fairly busy Lync or Office Communications Edge server in a chatty environment, you might have come across Schannel Event ID 36882:

  Log Name: System
 Source: Schannel
 Date: 3/16/2016 16:16:16 PM
 Event ID: 36882
 Task Category: None
 Level: Error
 Keywords: 
 User: NETWORK SERVICE
 Computer: LyncSE-AE.tailspintoys.com
 Description:
 The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.
 

And you wonder which certificate is causing the issue and where is the elusive "attached data". To find out you can look at the certificate data by going to the Details Tab, select Friendly View and scroll down to the section "In Bytes", you can then see certificate details such as Subject Name in the data. For eg. there is an issue with the CA chain for the certificate presented by im.FourthCoffee.com in the following screenshot:

Alternatively, you can use any HEX converter and paste the data field from the XML View into it for viewing the data. 

You may run into these frequently if you do not update your servers regularly or if you do not install root certificate updates by Microsoft through Windows Update. The CAs can get their certificates published by Microsoft via “Windows Root Certificate Program”, you can find more information about this at https://social.technet.microsoft.com/wiki/contents/articles/2592.aspx.  As members of this program the CAs can get their Root Certs published via windows update (The updates also remove Root CA certs from time to time, for eg. DigiNotar was removed a few months ago Microsoft Security Advisory 2607712).