Error: "SCHANNEL 1203, EventID 36888" Errors Flooding System Event Logs

Version 5

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.xLANDESK Endpoint Manager 2017.x

    Issue

    SCHANNEL 1203 errors are filling the system event logs. AMT/vPro is not configured and there are no cert issues on your IEM core server.

     

    The following fatal alert was generated: 10. The internal error state is 1203.

     

    Some of The Details are:

    - System

      - Provider

       [ Name]  Schannel
        [ Guid]  {1F678132-5938-4686-9FDC-C8FF68F15C85}
     
        EventID 36888

     

    There are additional details that are not relevant to this article.

     

    Cause

     

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging value is set to "1" or 0x0001 which is "Log Error Messages".

     

    The problem with this is that any non-SSL request coming into the IIS HTTPS site will cause SCHANNEL to log an error. You can replicate this by attempting to telnet port 443 on the core server and then typing some characters.

     

    Resolution

     

    Change the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging value to "0"  (Zero) or 0x000 which is "Do Not Log"

     

    Logging Registry Values

    ValueDescription
    0x0000 Do not log
    0x0001 Log error messages
    0x0002 Log warnings
    0x0004 Log informational and success events

     

    This value is good for troubleshooting when there are issues with certs and 403 failures in your IIS logs, but having it on continuously creates unnecessary noise in the System Event Logs.

     

    How to enable SCHANNEL event logging:

    https://support.microsoft.com/en-us/help/260729/how-to-enable-schannel-event-logging-in-iis

     

    Windows System Event Log flooded with SCHANNEL 1203 events:

    Windows Server Logs Flooded with SChannel events | Tritone Consultants