Questions[schannel](server)

this might be a complete newbee question. I have an 2012 R2 Server on which an application should call a partner who only offers the following ciphers: (0xc02f) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 (eq. 3072 bits RSA) FS 128 (0xc030) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 (eq. 3072 bits RSA) FS

If i check schnannel reg key my system offers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5

Can i just add the cipher in the regkey and restart or do i have to make an update of some kind?

Best Regards Moritz

Recently, my IIS 7.5 SSL site started refusing connections after a reboot. Oddly, the issue can be workaround by binding the site with a different cert and the switching back to the correct one.

When failing, wireshark shows the client send various SSL hello packets (TLS 1.0, 1.1, 1.2) and the server responds with a TCP RST. When working the client hello is virtually identical (same ciphers/compression/SNI.) Same behavior is displayed for IE and Chrome (contents are slightly different but instant RST is common) This indicates it is very likely something server side.

My only hint is random SChannel event ID 36870 "A fatal error occurred when attempting to access the SSL server credential private key. The error code reutrned from the cryptographic module is 0x8009030d. The internal error state is 1001." Checking my libraries 0x8009030d is "SEC_E_UNKNOWN_CREDENTIALS" and 1001 is likely MSG_FILE_NOT_FOUND.

Based on this I checked permissions on the Crypto/RSA folder per kb278381 and found them as expected. I forced inheritence on the underlying folders, but no change in behavior resulted.

Any clues on where to look next would be appreciated!

The customer wants to use a COMODO signed TLS certificate for LDAPS on a Windows Server 2012 R2 domain contoller.

The certificate was already purchased but the CSR wasn't created on the domain controller (as per https://support.microsoft.com/en-us/kb/321051).

The certificate fullfills the requirements to be used for ADDS:

• The common name is the DC's FQDN
• The certificate can be used for client and server authentication
• The certificate has several SAN entries for alternative DNS names of the domain controller

I've now imported the certificate, the private key and all intermediate certificates into both, the local computer certificate store and the NTDS\Personal certificate store.

However, after importing the certificate using the Certificate MMC Snap-in, the certificate isn't used for LDAPS in ADDS:

Schannel, 36869: The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.

I can see that the domain controller tries to use this certificate because the message changes if the certificate is removed:

No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

Is there any way to add this certificate so that schannel can use it (i have the private key, the csr, the certificate and all intermediate certificates)?

somewhere in our network an ldap client is querying our AD servers without the proper CA information. This provokes the (in my view useless) system critical (source: schannel) event id 36887 on the domain controllers' event log:

The following fatal alert was received: 46.

How can I locate the misconfigured client?

I'm currently experiencing an issue on a Windows Server 2012 R2.

In the event log is an Error for the Source "Schannel". The error description is:

"A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205."

I've looked over the articles found through a Google search, indicating it is a problem with SHA512 support. What confuses me is that this error happens randomly and causes a .NET web-site running on the server to fail by not being able to connect to an external web service using SSL TLS 1.2.

The site and communication to the external web service runs fine for weeks, then suddenly this error appears, and the web site cant connect to the web service. The error log from .NET if it helps is "System.Security.Cryptography.CryptographicException: Object contains only the public half of a key pair. A private key must also be provided.".

Without doing anything at all, the problem goes away after 5-10 mins.

Does anyone have any advice on how to debug this issue?