SCHANNEL Error 36888

[waltbros]

I added (edited in later on) a little experiment for ya in my last post, in case you missed it. You're welcome.

What exactly should I do here? my value is a 1 now. Should I change it to 0

Walt

Yes, then re-enable logging too, reboot, run Windows Update and then check the logs again for the 36888 error to be there or not.

With logging re-enabled it makes no difference if SSL 2.0 Client is set to 1 or 0. I get the error either way. Thanks for taking all the time and effort to help me with this. Unless you can think of something else to try, I think I'll just set logging to 0 and let that be it.

Walt

 

[GMan]

Cool deal...ya can't win em all heh (that goes for both of us lol) - but ya, so you can rest about it a little easier, what I've told you about the HTTP/HTTPS thing was directly from a Microsoft engineer on their site.

Enjoy.

 

[Calico]

It's happening because the server is HTTP only and the client (your machine) is trying to use HTTPS.

What to do? Disable logging for it - 0x0000 Do not log:

How to enable Schannel event logging in IIS

It's not so much the client trying to use one protocol whilst the server is expecting another, it's more about not being able to make the connection due to some kind of restriction in the network chain.

Doubtful. Windows Update probably tries HTTPS for some function or request and then falls back to HTTP after. It's probably hard coded but I don't know too much of its inner workings. Disabling logging is the best way to go about it if the events are bothersome to you.

Windows updates as well as root store certificate updates use both HTTP and HTTPS. The initial check for updates is a standard HTTP connection but the actual update is done over a secure channel. The same basic mechanism is employed when using Windows Store but the connection type will also depend on the account type in use. If you're using a Live ID to login to Windows 8, WWAHost.exe, the main Windows process used for Metro Application interaction, uses both secure and non-secure connections. if you're using a standard Windows account, the connections all appear to be standard HTTP.

 

[GMan]

The engineer was saying how a normal HTTP request at port 443 generates the error.

For example: Google

 

[Calico]

The engineer was saying how a normal HTTP request at port 443 generates the error.

For example: Google

Unfortunately, that link 404s for me? Is he talking about inbound connection issues against IIS, potentially due to lsass authentication?

Whilst is quite true that some schannel errors are security related, such as 36870, which is principally due to certificate problems, others, of which 36888 is one, I'm pretty sure, are connectivity issues. More often than not 36888 errors are transient, such as those I was seeing several days ago and they usually boil down to simply not being able to make the most appropriate connection at the time of request.

 

[Phone Man]

Here is a list of the SChannel error codes.

View attachment 4949

The OP and myself are getting Error 70 which is a Protocol Version error.

I set my Windows Update to Manual and have not seen any errors in the last 6 hours. So far it looks like it may be related to Windows Update only but more monitoring is required.

Jim

 

[Calico]

Don't forget the other part of the error message "The Windows SChannel error state is 105" which may indicate an invalid client certificate or may simply mean your system clock is out, which can also mimic these problems...

 

[waltbros]

Don't forget the other part of the error message "The Windows SChannel error state is 105" which may indicate an invalid client certificate or may simply mean your system clock is out, which can also mimic these problems...

All of my SChannel errors are error code 70. My system date and clock are up to date. My errors happen EVERY time my system has anything to do with Windows Update and only Windows Update. Oops, I forgot about downloading something from Windows Store. That also gives my the SChannel error code 70 error.

 

[GMan]

It is very likely some Microsoft error, and not user generated. FWIW, I had the same kind of certificate deal going on once. When I looked into it, it was expired and the whole internet was also complaining about it without resolution for a very long stretch of time and then it was eventually fixed.

 

[Calico]

Don't forget the other part of the error message "The Windows SChannel error state is 105" which may indicate an invalid client certificate or may simply mean your system clock is out, which can also mimic these problems...

All of my SChannel errors are error code 70. My system date and clock are up to date. My errors happen EVERY time my system has anything to do with Windows Update and only Windows Update. Oops, I forgot about downloading something from Windows Store. That also gives my the SChannel error code 70 error.

Indeed. I was just referring to the second part of the error, from your first post:

"A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105."

Which is what I was seeing in my logs last week. Out of interest are you running Windows 8 on bare metal or in a VM?

 

[waltbros]

Don't forget the other part of the error message "The Windows SChannel error state is 105" which may indicate an invalid client certificate or may simply mean your system clock is out, which can also mimic these problems...

All of my SChannel errors are error code 70. My system date and clock are up to date. My errors happen EVERY time my system has anything to do with Windows Update and only Windows Update. Oops, I forgot about downloading something from Windows Store. That also gives my the SChannel error code 70 error.

Indeed. I was just referring to the second part of the error, from your first post:

"A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105."

Which is what I was seeing in my logs last week. Out of interest are you running Windows 8 on bare metal or in a VM?

I guess I've been lying all along. The SChannel state is 105 is what I've been seeing. Ive been mistaking the TLS protocol defined fatal error code is 70 as the error code for the SChannel error . Like I said earlier, my Windows date and clock are up to date. I am running Win8 bare metal on a Toshiba Satellite lap top.

Sorry I misled everybody for so long.
Walt

 

[Phone Man]

I am not sure what the state code means but the error code is 70 which goes along with the list I posted. I still have not seen any since I turned off Windows Update. On the next Patch Tuesday I will run a manual update and see what I get. I'm not really too worried since it looks like only Windows Update is the source and this is a "beta" system.

Jim

 

[Ct74]

Showed up this morning. After second shutdown went to event viewer and found error. Information found @Event ID: 36888 Source: Schannel suggests shutting off tls in IE advanced options. Trying that now. Makes sense as Internet Explorer was the program which caused my problem both times this morning.