Periodically, we notice Microsoft Server events get flooded with schannel critical events. Depending on the environment, these can be transient errors. On one occasion, one of our customer servers received thousands of SChannel events every hour while its virtual machine clone received none.
Make sure to evaluate your environment and verify you support the appropriate protocols, cipher suites and algorithms. SChannel errors may be an indication of server-client cert negotiation problems. Qualys provides a great tool to evaluate negotiation at secure endpoints: https://www.ssllabs.com/ssltest/analyze.html
If you determine the events are transient, you can disable schannel event logging with a registry change:
- Start Registry Editor, run regedit
- Locate the following key:
- Click Add Value, then add the following registry value:
Value Name: EventLogging
Data Type: REG_DWORD
0x0000 designates to not log SChannel messages. See the table in the “Logging options” for possible values.
- Exit Registry Editor.
- Restart the server to apply the registry change.
Logging Registry Values
|0x0000||Do not log|
|0x0001||Log error messages|
|0x0004||Log informational and success events|
The transient errors we received in Windows Server 2012 and IIS 8 showed schannel 36888 fatal alert 10.