SChannel Errors on SCOM Agent

Hi again!


If you`re setting up a new agent/ Gateway installation which cannot communicate with the Management Server it`s always a good idea to also check the System Event Log and check for SChannel errors like:


Event ID: 36874- TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

Event ID: 36888 - A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.


If these is a case, let`s check the certificates more closely regarding the signature hash algorithm:


512 has severe incompatibility issues, if the AD Team has not implemented any workarounds for this on the servers & CA it will not work.. since TLS 1.2 does not support SHA 512 ->

It`s not OS related directly.. it applies both to WS2008, WS 2012 +R2.. it`s a just the TLS 1.2 protocol design. The reason why SHA 512 is not supported, is that it can cause higher CPU usage. However you can enable this from the registry, if it should be needed in your environment:


Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003


Data: RSA/SHA512


 There are also updates available kb2975719 and kb2975331 which address this issue, depending on the Operating System.

 Here a further documentation on supported ciphers by Schannel/TLS 1.2, SHA 512 is not there 🙂 So the workaround would be to create certificates based on SHA 384 or SHA 256

+Cipher Suite Definitions

Comments (12)

  1. Ed (DareDevil57) says:

    awesome, thanks.

  2. badtz8 says:

    Thank you ! The registry trick did it.
    Couldn’t figure precisely why the authentication (ldaps on GC) workd on my second AD (W2012R2) and not on my primary (W2012).
    The certificate was effectively using a SHA512 hash.
    You deserve a cookie =)

  3. Fab7 says:

    I have started receiving this error after loading Service Pack 3 for SQL 2012. Now the SQL Agent can’t start and it keeps saying that it can’t connect to the server. I can connect to the server locally and see that it is up. When the SQL Agent fails to
    start it is throwing 2 sets of these TLS 1.2 errors in my System event log. I am not sure why service pack 3 seems to have done this…everything was working great before the update and the update said that it completed successfully.

  4. Ophir says:

    I don’t understand what exactly I’m supposed to change in registry.
    Under that registry path I have a key called Functions with the following:

    And I’m still having those problems…

    1. Aleksander Burjek says:

      Hello, I have the same problem. Have you foud a solutuion? br, Aleksander

  5. Dharmbir Singh says:

    Do this error will cause all the IIS hosted website to recycle?

  6. Nicole Welch says:

    Don’t forget that if your MS doesn’t accept TLS 1.2 this won’t work! Ensure you add the TLS 1.2 regkeys there too.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
    disabledbydefault = 0
    enabled = 1

    1. Rok says:

      Nicole Welch are this 2x Dword value or we can just change value for DisabledByDefault from 1 to 0?
      thanks a lot.

    2. Bert Ratia says:

      My customer had SHA512 in place fine, but needed TLS 1.2 enabled, as Nicole Welch described below. Then restarting MS Exch Active Directory Topology restarted most of the related Exchange services…no more System or Application errors. Thanks.

  7. Rasmus Johnsen says:

    Greath this has not been fixed in the Server 2016 edition (final release) we are seeing this on a RDS Gateway server this morning.

  8. Sagar says:

    The certificate i had imported had SHA512 hash and negotiation was happening on TLS1.2 .

    Helped a lot. Thanks.

Skip to main content