Support Tip: Ops Manager web application monitoring logs error code 80090326 when the watcher node does not support RC4

~ Arun Kumar | Support Escalation Engineer

FIXIf you have a web site hosted on a server that only supports TLS 1.2 as a secure protocol for communication, when you try to monitor the site using an Operations Manager watcher node running on an operating system that has TLS1.0/RC4 enabled, (e.g. Windows Server 2012 RTM or Windows 8 RTM), the watcher node may fail to monitor the site. The error code you see might be different depending on how the SSL handshake takes place. For example:

  • If the web server sends an encrypted alert, then you might see error code: 80090326
  • If the web server severs the connection abruptly, then you might see error code: 80072EFE

The Schannel event log will also contain the following events:

Log Name:      System
Source:        Schannel
Date:         
Event ID:      36887
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:      watchernode.contoso.com
Description:
The following fatal alert was received: 40

and
 
Log Name:      System
Source:        Schannel
Date:         
Event ID:      36871
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:      watchernode.contoso.com
Description:
A fatal error occurred while creating an SSL client credential. The internal error state is 10013

What’s typically happening when you see these symptoms is that the SSL handshake between the watcher node and the website is failing because the watcher node is trying to negotiate Latest Ciphers/TLS 1.0 and the website only supports RC4/TLS1.2 respectively.

This is related to the following Microsoft Security Advisory:

Microsoft Security Advisory 2868725

While it is possible to enable RC4 on the web server, a better and more secure work around in this scenario is to disable RC4 on the watcher node and move to new ciphers like AES-GCM and TLS 1.2 instead on the web servers.

For more information see the following article on the Microsoft Security Research and Defense Blog:

Security Advisory 2868725: Recommendation to disable RC4

Arun Kumar | Support Escalation Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ 
Data Protection Manager Team blog: http://blogs.technet.com/dpm/ 
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ 
Operations Manager Team blog: http://blogs.technet.com/momteam/ 
Service Manager Team blog: http://blogs.technet.com/b/servicemanager 
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Surface Team blog: http://blogs.technet.com/b/surface/
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

System Center 2012 Operations Manager System Center 2012 R2 Operations Manager OpsMgr 2012 R2