Condividi tramite


Schannel Events

 

Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows 8

This topic for IT professionals lists the event details for the Secure Channel (Schannel) security support provider, and it describes the actions available to you to resolve problems.

To configure event logging for this provider, see How to enable Schannel event logging.

The Schannel Provider logs the following events to the Windows Logs\System log.

How to enable Schannel event logging

You can use this registry setting to enable the logging of client certificate validation failures, which are events generated by the Schannel security support provider. Logging of client certificate validation failures is a secure channel event, and is not enabled on the server by default

Note

The logging of rejected or discarded authentication events is enabled by default.

Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

You can enable additional secure channel event logging by changing the registry key value from 1 (REG_DWORD type, data 0x00000001) to 3 (REG_DWORD type, data 0x00000003).

Event ID 36864: The Schannel Security Package has Loaded Successfully

This event is logged first whenever the Schannel.dll is successfully loaded into memory on the client computer or server. If it is unsuccessful, Event ID 36866: The Schannel Security Package Has Failed to Load will be logged.

Details

Product Windows operating system
ID 36864
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message The Schannel security package has loaded successfully.
User action No user action is required.

Event ID 36865: A Fatal Error Occurred While Opening the Subsystem Cryptographic Module

The cryptographic subsystem is composed of a software library that contains one or more independent cryptographic service providers (CSP). These providers implement cryptographic algorithms and standards. To load successfully, they must be digitally signed and the signature must be verified.

If a CSP cannot be accessed or fails to load during the authentication process, for whatever reason, the process will stop.

Details

Product Windows operating system
ID 36865
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Error

A fatal error occurred while opening the system cryptographic subsystem cryptographic module. Operations that require the SSL or TLS cryptographic protocols will not work correctly. The error code is error code.
User action

Event ID 36866: The Schannel Security Package Has Failed to Load

This event is logged when the Schannel.dll fails to load into memory on the client computer or server. If successful, Event ID 36864: The Schannel Security Package has Loaded Successfully will be logged.

Because a dependency exists between the Schannel.dll and other files, you might need to extract new copies of the following files (if other error messages indicate issues with dependent files):

  • Msasn1.dll

  • Msvcrt.dll

  • Advapi32.dll

  • Wsock32.dll

  • Crypt32.dll

  • Rpcrt4.dll

  • Version.dll

  • Kernel32.dll

  • User32.dll

  • Gdi32.dll

Details

Product Windows operating system
ID 36866
Source Windows operating system
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Error

The Schannel security package has failed to load. Operations that require the SSL or TLS cryptographic protocols will not work correctly.
User action After investigating the event log and identifying a damaged or missing .dll file from the list above, replace it.

Investigate whether enough memory is available to load Schannel.dll and all the dependent files.

Event ID 36867: Creating an SSL (client or server) Credential

Because authentication relies on digital certificates, certification authorities (CAs) such as Verisign or Active Directory Certificate Services are an important part of TLS/SSL. A CA is a mutually-trusted non-Microsoft company that confirms the identity of a certificate requestor (usually a user or computer), and then issues the requestor a certificate. The certificate binds the requestor’s identity to a public key, thereby creating the SSL credential for the client computer or server. This event is logged as informational only to record the progress of the TLS or SSL process.

For more information, see Schannel SSP Technical Overview.

Details

Product Windows operating system
ID 36867
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Informational

Creating an SSL [client| server] credential.
User action No user action is required.

Event ID 36868: The SSL (client or server) Credential's Private Key Has the Following Properties

The client computer sends a client key exchange message after computing the premaster secret that uses the two random values that are generated during the client hello message and the server hello message. Before it is transmitted to the server, the premaster secret is encrypted by the public key from the server’s certificate. Both computers compute the master secret locally and derive the session key from it.

If the server can decrypt this data and complete the protocol, the client computer is assured that the server has the correct private key. This step is crucial to prove the authenticity of the server. Only the server with the private key that matches the public key in the certificate can decrypt this data and continue the protocol negotiation.

The client key exchange message includes the client computer’s protocol version and the premaster secret.

Details

Product Windows operating system
ID 36868
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Informational

The SSL client and server credential’s private key has the following properties:

- CSP name
- CSP type
- Key name
- Key type
- Key flags

The attached data contains the certificate.
User action This event is informational; no user action is required.

Event ID 36869: The SSL (client or server) Credential’s Certificate Does Not Have a Private Key Information Property Attached to it

The handshake protocols of TLS/SSL are responsible for establishing or resuming secure sessions. One of the goals of the handshake process is to authenticate the server to the client computer, and optionally, authenticate the client to the server through certificates and public or private keys.

In private (symmetric) key encryption, the same key is used to encrypt and decrypt the message. If two parties want to exchange encrypted messages securely, they must both possess a copy of the same symmetric key.

Frequently, this issue occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.

Details

Product Windows operating system
ID 36869
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Error

The SSL client credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
User action This event is informational; no user action is required.

Event ID 36870: A Fatal Error Occurred When Attempting to Access the SSL (client or server) Credential Private Key

This event can indicate that there is a problem with the server certificate on the system that is logging the event. The error is typically logged when a service (for example, LSASS on a Domain Controller) has attempted to load and verify the private and public key pair of the server certificate and that either of these operations has failed which makes the service unable to use that certificate for SSL encryption.

The handshake protocols of TLS/SSL are responsible for establishing or resuming secure sessions. One of the goals of the handshake process is to authenticate the server to the client computer, and optionally, authenticate the client to the server through certificates and public or private keys.

In private (symmetric) key encryption, the same key is used to encrypt and decrypt the message. If two parties want to exchange encrypted messages securely, they must both possess a copy of the same symmetric key.

Details

Product Windows operating system
ID 36870
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Error

A fatal error occurred when attempting to access the SSL client credential private key. The error code returned from the cryptographic module is 0x8009030d.
User action The root cause for this event can be any of the following:

- Incorrect ACL’s on the MachineKeys folder on the system disk
- The server certificate failed revocation checking
- The system account was unable to download any of the CRL’s that were stamped on all the certificates in the certificate chain.
- The system cannot build a certificate chain up to a trusted root CA for the server certificate
- The server certificate was in a format that was usable by the component, for example, the Subject or the Subject Alternate Name (SAN) of the certificate instead of a SAN DNS name that matches the DNS name of the domain controller .
- The server certificate was expired.

Event ID 36871: A Fatal Error Occurred While Creating An SSL (client or server) Credential

This behavior is caused by the SMTP service processing an incoming EHLO command if no certificate is assigned to an SMTP site. This message is logged twice, once when the SMTP service starts, and once when the first EHLO command is received.

Simple Mail Transfer Protocol (SMTP) controls how email is transported and then delivered across the Internet to the destination server. The SMTP EHLO command enables the server to identify its support for Extended Simple Mail Transfer Protocol (ESMTP) commands.

Details

Product Windows operating system
ID 36871
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Error

A fatal error occurred while creating an SSL server credential.
User action This is an erroneous Event log entry. You can safely ignore this message. To prevent this Event log entry, you must assign a certificate to the SMTP site.

Event ID 36872: No Suitable Default Server Credential Exists on this System

This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as Internet Information Services (IIS), are not affected by this. This is a warning event.

This event is logged when a server application (for example, Active Directory Domain Services) attempts to perform a Secure Sockets Layer (SSL) connection, but no server certificate is found. Server certificates are either enrolled for by hand or are automatically generated by the domain's enterprise Certification Authority (CA).

Details

Product Windows operating system
ID 36872
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Warning

No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as Microsoft Internet Information Services (IIS), are not affected by this.
User action In domains where no enterprise CA exists, this is an expected event and you can safely ignore the message.

In domains where an enterprise CA exists, you can either enroll a server certificate manually or configure the domain's enterprise Certification Authority (CA) to automatically generate the certificate.

Event ID 36873: No Supported Cipher Suites Were Found When Initiating an SSL Connection

A cipher suite is a collection of authentication, encryption, and message authentication code (MAC) algorithms used to negotiate the security settings for a network connection using the network protocols encompassed in the Schannel security support provider.

This error message reports that the SSL connection request has failed.

The reason for this is that no supported cipher suites were found when initiating an SSL connection. This indicates a configuration problem with the client application or the installed cryptographic modules.

For information about what cipher suites are available, see Supported Cipher Suites and Protocols in the Schannel SSP.

Details

Product Windows operating system
ID 36873
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Warning

No supported cipher suites were found when initiating an SSL connection. This indicates a configuration problem with the client application or the installed cryptographic modules. The SSL connection request has failed.
User action Determine if the cipher suites supported by the server are supported by the client computer (or the application which is encountering the issue).

For more information, see How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll..

Event ID 36874: An SSL Connection Request Was Received From a Remote Client Application, But None of the Cipher Suites Supported by the Client Application Are Supported by the Server

Cypher suites are configured for the Schannel security support provider in prioritized order and certain suites are only available on specific operating system versions. For more information about this support, see Supported Cipher Suites and Protocols in the Schannel SSP.

This error message could occur when the client application, such as a web browser is using a version of the SSL protocol not supported on the server, causing the connection cannot be made.

Details

Product Windows operating system
ID 36874
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Error

An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
User action The client application is requesting an SSL connection which is not supported on the server.

Investigate the values listed under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.and verify that they include those versions used by the server.

Event ID 36875: The Remote Server Has Requested SSL Client Authentication, But No Suitable Client Certificate Could Be Found

In response to the client hello message, the server requested SSL client authentication. Because the client did not possess a suitable certificate, the connection process will proceed by attempting an anonymous connection. In this scenario, which has security vulnerabilities, both client and server do not get authenticated and no credentials are needed to establish an SSL connection.

Note

The client certificate contains, among other information, what cipher suite it supports – and by extension, which protocol it supports. For more information about the use of certificates in SSL, see Schannel SSP Technical Overview.

Details

Product Windows operating system
ID 36875
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Warning

The remote server has requested SSL client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This SSL connection request might succeed or fail, depending on the server’s policy settings.
User action This warning message requires no action.

Event ID 36876: The Certificate Received From the Remote Server Has Not Validated Correctly

Certificates are issued with a planned lifetime and explicit expiration date. A certificate may be issued for one minute, thirty years or even more. Once issued, a certificate becomes valid once its validity time has been reached, and it is considered valid until its expiration date. However, various circumstances might cause a certificate to become invalid prior to the expiration of the validity period. Such circumstances include change of name, change of association between subject and CA (for example, when an employee terminates employment with an organization), and compromise or suspected compromise of the corresponding private key.

This issue occurs because LDAP caches the certificate on the server. Although the certificate has expired and the server receives a new certificate from a CA, the server uses the cached certificate, which is expired. You must restart the server before the server uses the new certificate.

Details

Product Windows operating system
ID 36876
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Error

The certificate received from the remote server has not validated correctly. The error code is 0×80090328. The SSL connection request has failed. The attached data contains the server certificate.
User action You must restart the server before the server uses the new certificate.

Event ID 36877: The Certificate Received From the Remote Client Application Has Not Validated Correctly

Certificates are issued with a planned lifetime and explicit expiration date. A certificate may be issued for one minute, thirty years or even more. Once issued, a certificate becomes valid once its validity time has been reached, and it is considered valid until its expiration date. However, various circumstances might cause a certificate to become invalid prior to the expiration of the validity period. Such circumstances include change of name, change of association between subject and CA (for example, when an employee terminates employment with an organization), and compromise or suspected compromise of the corresponding private key.

Details

Product Windows operating system
ID 36877
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Warning

The certificate received from the remote client application has not validated correctly. The error code is 0x80090325. the attached data contains the client certificate.
User action The error code x80090325 indicates an untrusted certificate that was on the client.

If this was a self-signed certificate then you would need to import the certificate into the trusted root certificate store. If this certificate was issued from a Certification Authority (CA) then you will need to import the root CA certificate into the trusted root certificate store.

Event ID 36878: The Certificate Received From the Remote Client Application Is Not Suitable for Direct Mapping to a Client System Account, Possibly Because the Authority that is Issuing the Certificate Is Not Sufficiently Trusted

Because authentication relies on digital certificates, certification authorities (CAs) such as Verisign or Active Directory Certificate Services are an important part of TLS/SSL. A CA is a mutually-trusted third party that confirms the identity of a certificate requestor (usually a user or computer), and then issues the requestor a certificate. The certificate binds the requestor’s identity to a public key. CAs also renew and revoke certificates as necessary. For example, if a client is presented with a server’s certificate, the client computer might try to match the server’s CA against the client’s list of trusted CAs. If the issuing CA is trusted, the client will verify that the certificate is authentic and has not been tampered with.

When a server application requires client authentication, Schannel automatically attempts to map the certificate supplied by the client to a user account.

Details

Product Windows operating system
ID 36878
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Warning

The certificate received from the remote client application is not suitable for direct mapping to a client system account, possibly because the authority that issuing the certificate is not sufficiently trusted. The error code is error code. The attached data contains the client certificate.
User action Check to see if the CA issuing the certificate is sufficiently trusted by the client application. The data attached to the message contains the client certificate.

Event ID 36879: The Certificate Received From the Remote Client Application Was Not Successfully Mapped to a Client System Account

Because authentication relies on digital certificates, certification authorities (CAs) such as Verisign or Active Directory Certificate Services are an important part of TLS/SSL. A CA is a mutually-trusted third party that confirms the identity of a certificate requestor (usually a user or computer), and then issues the requestor a certificate. The certificate binds the requestor’s identity to a public key. CAs also renew and revoke certificates as necessary. For example, if a client is presented with a server’s certificate, the client computer might try to match the server’s CA against the client’s list of trusted CAs. If the issuing CA is trusted, the client will verify that the certificate is authentic and has not been tampered with.

When a server application requires client authentication, Schannel automatically attempts to map the certificate supplied by the client to a user account.

Details

Product Windows operating system
ID 36879
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Warning

The certificate received from the remote client application was not successfully mapped to a client system account. The error code is error code.
User action This warning message is not necessarily a fatal error, as the server application might still find the certificate acceptable.

Event ID 36880: An SSL (client or server) Handshake Completed Successfully

An SSL session always begins with an exchange of messages called the SSL handshake. The handshake allows the server to authenticate itself to the client by using public-key techniques, and then allows the client and the server to cooperate in the creation of symmetric keys used for rapid encryption, decryption, and tamper detection during the session that follows. Optionally, the handshake also allows the client to authenticate itself to the server.

For more information, see Schannel SSP Technical Overview.

Details

Product Windows operating system
ID 36880
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Informational

An SSL [client| server] handshake completed successfully.
User action No action required for this informational message.

The negotiated cryptographic parameters are protocol, cipher, cipher strength, MAC, exchange, and exchange strength.

Event ID 36881: The Certificate Received From the Remote Server Has Expired

Because authentication relies on digital certificates, certification authorities (CAs) such as Verisign or Active Directory Certificate Services are an important part of TLS/SSL. A CA is a mutually-trusted third party that confirms the identity of a certificate requestor (usually a user or computer), and then issues the requestor a certificate. The certificate binds the requestor’s identity to a public key. CAs also renew and revoke certificates as necessary. For example, if a client is presented with a server’s certificate, the client computer might try to match the server’s CA against the client’s list of trusted CAs. If the issuing CA is trusted, the client will verify that the certificate is authentic and has not been tampered with.

Details

Product Windows operating system
ID 36881
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Error

The certificate received from the remote server has expired. The SSL connection request has failed. The attached data contains the server certificate.
User action

Event ID 36882: The Certificate Received From the Remote Server Was Issued By an Untrusted Certificate Authority

Because authentication relies on digital certificates, certification authorities (CAs) such as Verisign or Active Directory Certificate Services are an important part of TLS/SSL. A CA is a mutually-trusted third party that confirms the identity of a certificate requestor (usually a user or computer), and then issues the requestor a certificate. The certificate binds the requestor’s identity to a public key. CAs also renew and revoke certificates as necessary. For example, if a client is presented with a server’s certificate, the client computer might try to match the server’s CA against the client’s list of trusted CAs. If the issuing CA is trusted, the client will verify that the certificate is authentic and has not been tampered with.

The Schannel provider creates the list of trusted certification authorities by searching the Trusted Root Certification Authorities store on the local computer. When Schannel detects a certificate that was issued by an untrusted certification authority, this error is logged.

Details

Product Windows operating system
ID 36882
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Error

The certificate received from the remote server was issued by an untrusted certification authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.
User action Remove the untrusted certificates from the Trusted Root Certification Authorities store on the local computer.

Event ID 36883: The Certificate Received From the Remote Server Has Been Revoked

Because authentication relies on digital certificates, certification authorities (CAs) such as Verisign or Active Directory Certificate Services are an important part of TLS/SSL. A CA is a mutually-trusted third party that confirms the identity of a certificate requestor (usually a user or computer), and then issues the requestor a certificate. The certificate binds the requestor’s identity to a public key. CAs also renew and revoke certificates as necessary.

All certificates in a certificate chain may be processed to verify that none of the certificates is revoked. Certificate chain validation is of course optional from an application standpoint and may not be enforced by CryptoAPI. The Windows operating system by default checks certificate revocation status via certificate revocation lists, as the CRL processing engine is the native revocation provider included with CryptoAPI. When this functionality has been invoked each certificate in the certificate chain is checked against the compared specified in the CRL published in the CRL Distribution Point (CDP) extension in the certificate. If the certificate is found to be included in the CRL, the certificate is then considered revoked.

Details

Product Windows operating system
ID 36883
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Error

The certificate received from the remote server has been revoked. This means that the certification authority that issued the certificate has invalidated it. The SSL connection request has failed. The attached data contains the server certificate.
User action

Event ID 36884: The Certificate Received From the Remote Server Does Not Contain the Expected Name

The server certificate contains the name of the server, which must match that which is contained in one of the certificates on the client computer. If the certificate name differs between the fully qualified domain name (FQDN) and the local server name, the connection will fail.

Details

Product Windows operating system
ID 36884
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Error

The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is servername. The SSL connection request has failed. The attached data contains the server certificate.
User action

Event ID 36885: When Asking for Client Authentication, This Server Sends a List of Trusted Certificate Authorities to the Client.

The server sends a list of trusted certification authorities to the client if the following conditions are true:

  • The server uses the Transport Layer Security (TLS)/SSL protocol to encrypt network traffic.

  • Client certificates are required for authentication during the authentication handshake process.

This list of trusted certification authorities represents the authorities from which the server can accept a client certificate. To be authenticated by the server, the client must have a certificate that is present in the chain of certificates to a root certificate from the server's list.

The Schannel provider creates the list of trusted certification authorities by searching the Trusted Root Certification Authorities store on the local computer. Every certificate that is trusted for client authentication purposes is added to the list, which is restricted by size limits. If the size of this list exceeds the maximum in bytes, the Schannel logs Warning event ID 36855. Then, Schannel truncates the list of trusted root certificates and sends this truncated list to the client computer. When the client computer receives the truncated list of trusted root certificates, the client computer might not have a certificate that exists in the chain of a trusted certificate issuer.

Details

Product Windows operating system
ID 36885
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Warning

When asking for client authentication, this server sends a list of trusted certification authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certification authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certification authorities trusted for client authentication and remove those that do not really need to be trusted.
User action Review the certification authorities trusted for client authentication and remove those that do not really need to be trusted.

Event ID 36886: No Suitable Default Server Credential Exists on This System

Because authentication relies on digital certificates, certification authorities (CAs) such as Verisign or Active Directory Certificate Services are an important part of TLS/SSL. A CA is a mutually-trusted third party that confirms the identity of a certificate requestor (usually a user or computer), and then issues the requestor a certificate. The certificate binds the requestor’s identity to a public key. CAs also renew and revoke certificates as necessary.

If the server’s certificate wasn not generated by a CA, one must be individually generated or installed on the server in order for the client computer to connect successfully.

Details

Product Windows operating system
ID 36886
Source Schannel
Version 6.0

6.1

6.2
Symbolic Name
Message Type: Error

No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as Internet Information Services (IIS), are not affected by this.
User action This event occurs when a server attempt to make an SSL connection but no server certificate is found. In a domain where no enterprise CA exists, this event is normal and can be safely ignored.or you can install a CA in the domain.

Event ID 36887: A Fatal Alert Was Received

The TLS alert sub-protocol uses messages to indicate a change in status or an error condition to the peer. There are a wide variety of alerts to notify the peer of both normal and error conditions. Alerts are commonly sent when the connection is closed, a message which is not valid is received, a message cannot be decrypted, or the user cancels the operation. The IETF specification, RFC 4346, contains descriptions of the closure alerts and error alerts.

This alert message indicates this computer received a TLS or SSL fatal alert message from the server it was communicating or negotiating with. The error indicates a state in the communication process, not necessarily a problem with the application. However, the cause could be how the application, such as a web browser, handled the communication.

The desktop app, using SCHANNEL_ALERT_TOKEN, generates a SSL or TLS alert to be sent to the target of a call to either the InitializeSecurityContext (Schannel) function or the AcceptSecurityContext (Schannel) function. The two alert types are warning and fatal. With a fatal error, the connection is closed immediately.

Event Details

Product Windows Operating
ID 36887
Source Schannel
Version 6.1

6.2
Symbolic Name SSLEVENT_RECEIVE_FATAL_ALERT

Event ID 36888: A Fatal Alert Was Generated

This event indicates that this computer (the computer that logs this event) has detected an error condition and generated a fatal alert to notify the other party about it.

The desktop app, using SCHANNEL_ALERT_TOKEN, generates a SSL or TLS alert to be sent to the target of a call to either the InitializeSecurityContext (Schannel) function or the AcceptSecurityContext (Schannel) function. The two alert types are warning and fatal. With a fatal error, the connection is closed immediately.

The TLS alert sub-protocol uses messages to indicate a change in status or an error condition to the peer. There are a wide variety of alerts to notify the peer of both normal and error conditions. Alerts are commonly sent when the connection is closed, an invalid message is received, a message cannot be decrypted, or the user cancels the operation. The IETF specification, RFC 4346, contains descriptions of the closure alerts and error alerts.

For more information about how Schannel works, see Schannel SSP Technical Overview.

Event Details

Product Windows Operating
ID 36888
Source Schannel
Version 6.1

6.2
Symbolic Name SSLEVENT_GENERATE_FATAL_ALERT

See also

Schannel SSP Technical Overview