Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 36888

Source
Level
Description
The following fatal alert was generated: 10. The internal error state is 10.
Comments
 
Error code 40, SChannel error state is 808 - If this is recorded on a server running Solarwinds see EV100650 (Microsoft Windows update patch (KB3161606) disabled TLS 1.0) on how to fix it.
Reported Schannel error states:
- 10
- 107
- 808
- 900
- 960
- 1203
- 1205

We are still researching the meaning of these codes - there is no Microsoft documentation on these codes.
Error code 40, SChannel error state 808: If this has started after the installation of Microsoft updates KB3163018 or KB3172985, see EV100651 (“The page can’t be displayed” in web apps after installing update for Windows 10).
EV100573 (Why Schannel EventID 36888 / 36874 Occurs and How to Fix It) blog post provides some suggestions on how to fix this issue.
From a support forum: "On my system at least (running Windows 8 Consumer preview), I stumbled into this solution while troubleshooting a different (DCOM) error message that I kept getting:
In Group Policy Editor (run: gpedit.msc),   went to Computer Configuration > Administrative Templates > System > Distributed COM > Application Compatibility and enabled "Allow local activation security check exemptions". After that, the errors were gone.


With Windows 8.1 Update clients connecting to Windows Server Update Services (WSUS) 3.0 Service Pack 2 running on Windows Server 2008 R2 or prior, this error occurs if the server does not have TLS 1.2 enabled. See EV100475 (Windows 8.1 Update Cannot Connect to SSL-Enabled WSUS 3 SP 2).
I encountered error code (40) on my system. Had just installed a new domain controller, and the server was issuing hundreds of these alerts. Turned out, the domain firewall policy was enabled on my domain controller, but the ports had not been authorized. Simply turning off the firewall did the trick and the errors went away.
See ME260729 on how to enable Schannel logging and T783349 on information about on how TLS/SSL Works.
Fatal alert was generated: 53. The internal state error is 900 - From a support forum: "In our case,   this error started when we configured the HTTPS (OWA load balancing). I know that this is obviously SSL/TLS related, Then we have removed the real server IPs (Exchange Server IPs where we configured in the policy). After this, the error stopped."
Alert 20. The internal error state is 960 - Ended up being that the certificate being used by the EAP type for Authentication Methods set on the Constraint tab on the Network Policy in NPS had some information missing, specifically the Subject. I requested a new certificate and changed the selection to the new one and it works fine now. See some other related thoughts at EV100349 (Certificate Services - can not connect using SSL).
Alert 10. The internal error state is 1203 - From a support forum: "This event is seen on windows 2008 R2 running IIS. If a user tries to access a web site using HTTP but specifies an SSL port in the URL then this event is logged. This event is expected as the client is trying to use the wrong port or the wrong protocol to access the site
The error 1203 indicates invalid ClientHello from the client. This is by design and you can ignore this warning."
Alert 10. The internal error state is 10. - From a support forum: "I found that the only way to get the schannel errors to go away was to disable the HTTPS inspection feature. I did this because TMG would not allow clients to connect to Live Meeting even after creating a Destination Exception in HTTPS inspection."
Alert 10. The internal error state is 10. - According to ME2423384, this may be happening due to a memory leak in the Lsass.exe process on computers running Forefront TMG 2010 SP1. See the article for a link to an update post SP1.
Some users reported that they found that this type of errors were just the result of "normal" activity and decided to disable the Schannel logging. To do this, set the log level to 0 under this registry key:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel


The following is a list of SSL/TSL error messages and their code (matching the code recorded by this event):
TLS1_ALERT_CLOSE_NOTIFY (0)
TLS1_ALERT_UNEXPECTED_MESSAGE (10)
TLS1_ALERT_BAD_RECORD_MAC (20)
TLS1_ALERT_DECRYPTION_FAILED (21)
TLS1_ALERT_RECORD_OVERFLOW (22)
TLS1_ALERT_DECOMPRESSION_FAIL (30)
TLS1_ALERT_HANDSHAKE_FAILURE (40)
TLS1_ALERT_BAD_CERTIFICATE (42)
TLS1_ALERT_UNSUPPORTED_CERT (43)
TLS1_ALERT_CERTIFICATE_REVOKED (44)
TLS1_ALERT_CERTIFICATE_EXPIRED (45)
TLS1_ALERT_CERTIFICATE_UNKNOWN (46)
TLS1_ALERT_ILLEGAL_PARAMETER (47)
TLS1_ALERT_UNKNOWN_CA (48)
TLS1_ALERT_ACCESS_DENIED (49)
TLS1_ALERT_DECODE_ERROR (50)
TLS1_ALERT_DECRYPT_ERROR (51)
TLS1_ALERT_EXPORT_RESTRICTION (60)
TLS1_ALERT_PROTOCOL_VERSION (70)
TLS1_ALERT_INSUFFIENT_SECURITY (71)
TLS1_ALERT_INTERNAL_ERROR (80)
TLS1_ALERT_USER_CANCELED (90)
TLS1_ALERT_NO_RENEGOTIATION (100)
TLS1_ALERT_UNSUPPORTED_EXT (110)

The message may provide an additional clue as to what went wrong when this error was recorded. For example, Error code 10 (TLS1_ALERT_UNEXPECTED_MESSAGE) may indicate a lack of compatibility between the client app and the server.
From a support forum, for 40. The internal error state is 107 - "After some testing it turned out that IE8 x64 on my desktop has the problem along with IE8 x86 on my laptop. Firefox does not show any errors so I am guessing it is a IE 8 issue".
From a post on the newsgroups about "10. The internal error state is 10." - My problem went away (along with several others) when I un-did the TakeOwnership changes I had done to various directories. Taking ownership of c:\Program Files was okay, but of C:\Windows it was a bad idea. Even re-applying Administrator Ownership at the top level and propogating it downwards wasn't good enough. Lots of side affects and fixes and false starts and fixes and side affects. I think I've got it all straight now after I have become very familiar with System Restore - my event log is now clean as a whistle.
Apparently disabling TLS under IE options advanced - advanced security should make it stop.
Alert 10. The internal error state is 1203. - This seems to have started when I installed Kaspersky AV on a Windows 2008 R2 server.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...