SChannel Errors on SCOM Agent


Hi again!

 

If you`re setting up a new agent/ Gateway installation which cannot communicate with the Management Server it`s always a good idea to also check the System Event Log and check for SChannel errors like:

 

Event ID: 36874– TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

Event ID: 36888 – A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

 

If these is a case, let`s check the certificates more closely regarding the signature hash algorithm:

 

512 has severe incompatibility issues, if the AD Team has not implemented any workarounds for this on the servers & CA it will not work.. since TLS 1.2 does not support SHA 512 -> http://technet.microsoft.com/en-us/library/dd560644(v=WS.10).aspx

It`s not OS related directly.. it applies both to WS2008, WS 2012 +R2.. it`s a just the TLS 1.2 protocol design. The reason why SHA 512 is not supported, is that it can cause higher CPU usage. However you can enable this from the registry, if it should be needed in your environment:

 

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003

Type: REG_MULTI_SZ

Data: RSA/SHA512

 

 There are also updates available kb2975719 and kb2975331 which address this issue, depending on the Operating System.

 Here a further documentation on supported ciphers by Schannel/TLS 1.2, SHA 512 is not there 🙂 So the workaround would be to create certificates based on SHA 384 or SHA 256

 

 http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

+Cipher Suite Definitions

http://tools.ietf.org/html/rfc5246#appendix-C

Comments (9)

  1. Anonymous says:

    awesome, thanks.

  2. badtz8 says:

    Thank you ! The registry trick did it.
    Couldn’t figure precisely why the authentication (ldaps on GC) workd on my second AD (W2012R2) and not on my primary (W2012).
    The certificate was effectively using a SHA512 hash.
    You deserve a cookie =)

  3. Fab7 says:

    I have started receiving this error after loading Service Pack 3 for SQL 2012. Now the SQL Agent can’t start and it keeps saying that it can’t connect to the server. I can connect to the server locally and see that it is up. When the SQL Agent fails to
    start it is throwing 2 sets of these TLS 1.2 errors in my System event log. I am not sure why service pack 3 seems to have done this…everything was working great before the update and the update said that it completed successfully.

  4. Ophir says:

    I don’t understand what exactly I’m supposed to change in registry.
    Under that registry path I have a key called Functions with the following:
    RSA/SHA512
    ECDSA/SHA512
    RSA/SHA256
    RSA/SHA384
    RSA/SHA1
    ECDSA/SHA256
    ECDSA/SHA384
    ECDSA/SHA1
    DSA/SHA1

    And I’m still having those problems…

    1. Aleksander Burjek says:

      Hello, I have the same problem. Have you foud a solutuion? br, Aleksander

  5. Dharmbir Singh says:

    Do this error will cause all the IIS hosted website to recycle?

  6. Nicole Welch says:

    Don’t forget that if your MS doesn’t accept TLS 1.2 this won’t work! Ensure you add the TLS 1.2 regkeys there too.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
    disabledbydefault = 0
    enabled = 1

    1. Rok says:

      Nicole Welch are this 2x Dword value or we can just change value for DisabledByDefault from 1 to 0?
      thanks a lot.