Event ID 36870 Source Schannel
| Event ID | 36870 |
| Source | Schannel |
| Type | Error |
| Description | A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0xffffffff. |
| English, please! | This information is only available to subscribers. An example of English, please! |
| Concepts to understand | Why are some errors fatal? |
| Comments |
Adrian Grigorof
This event can be about a server certificate or a client certificate and different error codes can be reported. One should pay attention to these details as they require a different troubleshooting approach. A Microsoft engineer provided the following suggestions: If the certificate is not considered valid by the schannel provider, the schannel provider will reject the cert if one of the following validation problems exists: 1. The root to which the LDAPS / DC Cert is not trusted 2. The DC is not able to validate that the CA is trusted (cannot build a trust chain) 3. The certificate is expired 4. The certificate is revoked Please determine if the certificate is failing validation checking by using certutil from Windows Server 2003 and correct the issues that certutil reports (expired CRL, server isn't reachable on the network, CRL isn't published to the location as expected, etc.) For more information, see M825061 (Certificate Services Does Not Start After You Upgrade to Windows 2000). Also, you may use the "dsstore -dcmon" command and look at a verbose display. Then, correct the trust chain on the certificate that you are using for schannel. For more information about the Directory Services Store Tool, please refer to M313197 (HOW TO: Use the Directory Services Store Tool to Add a Non-Windows 2000) * * * Error code: 0x80090016 - This error seems to indicate a permissions problem. Most of the newsgroup posts below were from Microsoft support engineers. From a newsgroup post: "I would suggest you export the cert out (with private key) then reimport again, or import to other machine, and export from there and import back to this machine. See M232137 on import and export certificates and M232136 on how to backup a server certificate in IIS 5.0. From another post: "Try going to the properties of the Documents and settings\All Users folder, then go to the security tab, select advanced and then select the reset permissions on all child objects and then select OK. Then try the websites out again. From a newsgroup post: "There are 4 main IIS troubleshooting steps to take when you cannot make a successful SSL connection: 1) Is the SSL ISAPI filter installed? It should be at the master level, and is called "sspifilt". 2) In the IIS MMC, on the Web Site tab of the site's Properties page, is the SSL Port enabled or is it grayed out? What port are you using for SSL? 3) Host Headers and SSL should not be attempted to work in conjunction. If possible, completely disable your Host Headers when troubleshooting SSL. 4) Try generating a new certificate. It could be the case that your Certificate is bad." From a newsgroup post: "According to my experience, you can try to give Administrators group full control on folder and its contents: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys." According to Thawte Solution document SO377, this occurs after you have reinstalled your server or you had a server crash. The recommended resolution is to import your private key backup file (.pfx file) using the instructions in Thatwte Solution SO5288. Please check the private key in the Microsoft/Crypto/MachineKeys/RSA directory. If it has no permissions on it at all changed it to have all permissions, and then it should work. See also the link to Error code 0x80090016. - Error code: 0x8010002e - Cannot find a smart card reader - Error code: 0x80090304 - The Local Security Authority cannot be contacted * * * Some other issues may share similar causes - bad certificates. See the link to the "Unable to Start Microsoft Firewall Service in ISA Server 2006" article. A user consulted this before determining that in his case, the error was recorded because the SQL Server hasn’t been configured to use an SSL certificate. K. Olson - Error code: 0x80090016 - I received this message when I created a request for a Verisign SSL key renewal in one directory but placed the response file (.cer) in another location and proceeded to install the pending renewal request using the IIS wizard. Even though the properties page of the certificate said it was installed, when a user went to the web site, a "Page cannot be displayed" message would appear and each time we restarted IIS this event would be generated. To correct this problem, I had to create another renewal request using the IIS wizard and then obtained a new response file from Verisign using their website. Mihai Andrei - Error code: 0x6 - From a newsgroup post: "This event, along with Event ID 36872 from source DCOM, started to occur a day after I installed a new HP LaserJet on a workstation. On the Windows 2000 workstation where I installed the HP Laserjet, I noticed that the event log was reporting Event ID 10009 from source DCOM every 20 seconds (DCOM was unable to communicate with the computer Server11 using any of the configured protocols). I looked around the HP Website and I found a fix. At a command window, from the \windows\system32 directory, run the following command: "hpbpro.exe -RegServer". If the problem persists, run "hpbpro.exe -Service". This fixed the error at the workstation and also events 36870 and 36872 from the server". Ionut Marin See M331333 for more details. Ice I have seen the 0xffffffff instance of this event when I have stopped the Protected Storage Service and then tried to use the SSL API. Specifically "AcquireCredentialsHandle" ends with "SEC_E_UNKNOWN_CREDENTIALS" (0x8009030D). The problem is resolved by starting the Protected Storage Service. Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here! Anonymous If your getting this event and your using BackupExecAgentAccelerator, you need to go into HKEY_Local_Machine ->CurrentControlSet ->Services -> BackupExecAgentAccelerator ->Security and change the Security Key to match what you have on your backup server. |
| Links | M232136, M232137, M260729, M331333, Error code 0x80090016, Event ID 10009 from source DCOM, Event ID 36872 from source Schannel, Thawte Solution SO377, Thawte Solution SO5288, M825061, M313197, Unable to Start Microsoft Firewall Service in ISA Server 2006 |
| Search | Google Web - Microsoft Support - Bing - EventID.Net Queue - More links... |
| Custom search | The custom search information is available to subscribers only. |
| Feedback | Send comments - Notify me when updated |
| Print version |