TLS Log Warning for AAD Sync - Schannel 36875

Ian Perry 6 Reputation points
2020-08-13T13:10:38.187+00:00

We manage quite a few servers, and back in March, enabled LDAPS for all of the domains that had LDAP queries related to VPNs. The same set of instructions was used for each of 8 domain controllers; however, on two of them, we began seeing these warnings in the log.

17426-azure-error.png

These log lines happen 384 times per day, every day. I've run packet captures and they appear to be coming from Azure AD Sync. During an SSL handshake on the problem servers, whenever the server hello is presented, it requests a certificate. On the client hello, no certificate is provided. On non-problem servers, the certificate request is missing from the server hello, and thus everything goes smoothly. I've attempted to uninstall and reinstall AAD sync, which did not resolve the issue. The server that the log error is from is running Windows Server 2016 10.0.14393 Build 14393. The other is running Windows Server 2012 R2 6.3.9600 Build 9600

Any assistance that can be provided will be greatly appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,438 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 36,841 Reputation points Microsoft Employee
    2020-08-13T21:55:51.333+00:00

    The error usually means that the server is requesting a certificate to the client, which you may need to deploy.

    https://technet.microsoft.com/en-us/library/dn786429.aspx

    From the documentation:

    Event ID 36875: The Remote Server Has Requested SSL Client Authentication, But No Suitable Client Certificate Could Be Found

    In response to the client hello message, the server requested SSL client authentication. Because the client did not possess a suitable certificate, the connection process will proceed by attempting an anonymous connection. In this scenario, which has security vulnerabilities, both client and server do not get authenticated and no credentials are needed to establish an SSL connection.

    Note:The client certificate contains, among other information, what cipher suite it supports – and by extension, which protocol it supports. For more information about the use of certificates in SSL, see Schannel SSP Technical Overview.

    Details
    Product Windows operating system
    ID 36875
    Source Schannel
    Version 6.0, 6.1, 6.2

    Symbolic Name
    Message Type: Warning

    The remote server has requested SSL client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This SSL connection request might succeed or fail, depending on the server’s policy settings.

    User action This warning message requires no action.

    Source: https://video2.skills-academy.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786445(v=ws.11)

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.