Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 36887 Source: Schannel

Source
Level
Description
The following fatal alert was received: 10.
Comments
 
This event may also be logged if one tries to initiate a HTTP connection to a HTTPS server, e.g. by requesting "http://you-server.com:443/" (this could also happen when the server is being probed or scanned for vulnerabilities).
The following is a list of SSL/TSL error messages and their code (matching the code recorded by this event):
TLS1_ALERT_CLOSE_NOTIFY (0)
TLS1_ALERT_UNEXPECTED_MESSAGE (10)
TLS1_ALERT_BAD_RECORD_MAC (20)
TLS1_ALERT_DECRYPTION_FAILED (21)
TLS1_ALERT_RECORD_OVERFLOW (22)
TLS1_ALERT_DECOMPRESSION_FAIL (30)
TLS1_ALERT_HANDSHAKE_FAILURE (40)
TLS1_ALERT_BAD_CERTIFICATE (42)
TLS1_ALERT_UNSUPPORTED_CERT (43)
TLS1_ALERT_CERTIFICATE_REVOKED (44)
TLS1_ALERT_CERTIFICATE_EXPIRED (45)
TLS1_ALERT_CERTIFICATE_UNKNOWN (46)
TLS1_ALERT_ILLEGAL_PARAMETER (47)
TLS1_ALERT_UNKNOWN_CA (48)
TLS1_ALERT_ACCESS_DENIED (49)
TLS1_ALERT_DECODE_ERROR (50)
TLS1_ALERT_DECRYPT_ERROR (51)
TLS1_ALERT_EXPORT_RESTRICTION (60)
TLS1_ALERT_PROTOCOL_VERSION (70)
TLS1_ALERT_INSUFFIENT_SECURITY (71)
TLS1_ALERT_INTERNAL_ERROR (80)
TLS1_ALERT_USER_CANCELED (90)
TLS1_ALERT_NO_RENEGOTIATION (100)
TLS1_ALERT_UNSUPPORTED_EXT (110)

The message may provide an additional clue as to what went wrong when this error was recorded. For example, Error code 10 (TLS1_ALERT_UNEXPECTED_MESSAGE) may indicate a lack of compatibility between the client app and the server.
This issue was seen on a Windows 2008 R2 server with Network Policy and Access Services (was IAS) running and is the RADIUS server for wireless authentication.

Data: The following fatal alert was received: 47.

The issue is that the NPS server cannot successfully authenticate the clients. Therefore, wireless client computers cannot connect to the wireless network successfully. This is caused by having too many entries in the trusted root certification list on the server. Every time a clients tries to make a connection this error will be logged in the System Event logs. See ME933430 for solutions to this issue.
As a general comment from a Microsoft engineer, This error message indicates the computer received an SSL fatal alert message from the server ( It is not a bug in the Schannel or the application that uses Schannel). Sometimes is caused by the installation of third party web browser (other than Internet Explorer).

Alert 47 - See EV100117, not a fix, but a discussion thread that may bring some additional clues in troubleshooting this problem.

Alert 48 - See EV100118 for some suggestions.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...