Win 7 PCs Disconnected From Exchange - Schannel is at issue !
-
![]()
Win 7 PCs Disconnected From Exchange - Schannel is at issue !
Hi,
In our office, we have 8 PCs running Windows 7 and Outlook 2007. There is also a server running Small Business Server 2003 and Exchange Server 2003.
Previously, we had old PCs running Windows XP and Outlook 2007, and did not have any problems connecting, but at the moment, Outlook running on three of the PCs displays its status as "Disconnected from Microsoft Exchange" randomly at least once a day. Restarting the PC sometimes fixes the problem, but not always.
There were a number of issues I addressed on the server by using Microsoft Exchange Best Practises Analysis Tool, but the problem with these PCs still exists.
I have searched through the application and system event logs, and the only corralation I have found is that around the times of the disconnections, the following error is displayed -
SChannel
The following fatal alert was generated: 10. The internal error state is 10.
- System
- Provider
[ Name] Schannel
[ Guid] {1F678132-5938-4686-9FDC-C8FF68F15C85}
EventID 36888
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x8000000000000000
- TimeCreated
[ SystemTime] 2010-12-16T13:31:38.098155500Z
EventRecordID 4097
Correlation
- Execution
[ ProcessID] 532
[ ThreadID] 572
Channel System
Computer (****PC Name****)
- Security
[ UserID] S-1-5-18
- EventData
AlertDesc 10
ErrorState 10
Can someone help me trace and resolve the issue ?
Any help would be appreciated.
Thanks
GW
-
-
![]()
The change is due to the new schannel in Win7 - it has nothing to do with Exchange or Outlook, but in fact the error is happening at the SSL tunnel level via the certificate being used for secure communication between Outlook and Exchange. This all happens below the client (schannel handles all cert-related duty in the OS if an app uses the schannel APIs, which apps like Outlook or IE do), and any errors with the use of the cert will cause schannel errors. Usually I see a different internal error state (1203 rather than 10), but something about the cert you are using on that Exchange server is causing Win7's security provider to most definitely NOT like the connection. Do you know what the SSL version of this particular certificate is (SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2)?
This is probably going to require a network trace and an schannel log to get the actual root cause of this from the machine indicating the 36888 error, but the error state of 10 for both error and alert description means the server is sending back the message "UNEXPECTED_MESSAGE" when the client issues an SSL message to the server. This means *something* on the client is issuing a message to the server over the SSL tunnel other than ChangeCipherSpec, Alert, Handshake, or Application Data and is calling the APIs InitializeSecurityContext or AcceptSecurityContext.
Does it happen when using a Win7 vanilla machine installed with Outlook? Also, does it happen on machines joined to the domain only?
-
Hi Cluberti,
Thanks for your quick reply.
As far as I am aware, no security certificates were installed when the Windows 7 PCs were added to the domain. I am unsure how to determine which certificate is being used - can you have give me any pointers ?
I cannot determine if the issue happens with a PC not connected to the domain, as I do not have any PCs in that situation, however I can confirm it does with PCs that are added to the domain.
With regard to the network trace, do you mean trace routes and pings between one of the affected PCs and the server ? If not, what do I need to do ?
Also, Schannel logging has been enabled in the windows registery on one of the affected PCs, but I am unsure where the logs are - will they be in the event viewer ? Does the Schannel logging need to be enable on the SBS server also ?
My apologies for all the questions, but this sort of issue is getting a little above my head.
Regards
GW
-
-
Quick workaround for event id 36888 using outlook
I read with interest the reply from cluberti which did make sense.
One quick work around you can try as we have the exact same issue on just one Win 7 Pro pc running outlook 2010 as we have countless pcs same model etc all of which are fine except this odd one.
cluberti's response got me thinking.
Change the authentication options as a test and it seems to work, even though its too early in our case to say for definate.
Go into Account settings>
Go into the More settings of outlook>
Onto the Security tab>
Take the tick out of Encrypt data between outlook and the exchange server etc etc etc.
That worked for us, if not for you play with the prompt for password and the authentication methods
Quote