Re: Event ID: 36870 - Schannel / cryptographic module

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi Steven,

Thank you for replying.

The certificate is valid, it doesn't expire until 2008, and is hasn't be
revoked.

I'm trying to use the certutil to check the certificate/crl setting, but I'm
having a bit of a problem, when I run "certutil -getcrl -config
server\domain ca" i get an error saying invalid parameter, I assume this is
because of the name of our CA (Domain CA, with a space) so I have put quotes
around it, -config 'server\domain ca' but when I run this, I get an error
'The RPC server is unavailable' I don't know if this is an error with the
command I'm putting in, if it can't find the ca, or if there actually a
problem with RPC, which could be causing the schannel error. Is it OK to use
quotes around the ca parameter?

The CA is our main domain controller dcsvr1, this error is appearing on our
2nd DC, exchsvr1, domain traffic is moving between the 2 happily, no DNS,
directory service or NTFRS error appear in the event logs.

Could this RPC error be the cause?

Ben

"Steven Wang [MSFT]" <v-stwang@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:RfVmI39fGHA.1740@xxxxxxxxxxxxxxxxxxxxxxxx
Hi Ben,

Thank you for posting here.

If the certificate is not considered valid by the schannel provider, the
schannel provider will reject the cert if one of the following validation
problems exists:

1. The root to which the LDAPS / DC Cert is not trusted
2. The DC is not able to validate that the CA is trusted (cannot build a
trust chain)
3. The certificate is expired
4. The certificate is revoked

Please determine if the certificate is failing validation checking by
using
certutil from Windows Server 2003 and correct the issues that certutil
reports (expired CRL, server isn't reachable on the network, CRL isn't
published to the location as expected, etc.)

For more information, please refer to the following article.

825061 Certificate Services Does Not Start After You Upgrade to Windows
2000
http://support.microsoft.com/?id=825061

Also, you may use the "dsstore -dcmon" command and look at a verbose
display. Then, correct the trust chain on the certificate that you are
using for schannel.

For more information about the Directory Services Store Tool, please refer
to the following article.

313197 HOW TO: Use the Directory Services Store Tool to Add a Non-Windows
2000
http://support.microsoft.com/?id=313197

Hope this helps. If anything is unclear or you have any concerns, please
feel free to post back. I am glad to be of assistance.

Best regards,

Steven Wang
Microsoft Online Support


--------------------
Reply-To: <benblackmore@xxxxxxxxxxxxxxxx>
From: <benblackmore@xxxxxxxxxxxxxxxx>
Subject: Event ID: 36870 - Schannel / cryptographic module
Date: Wed, 24 May 2006 12:05:33 +0100
Lines: 33
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
X-RFC2646: Format=Flowed; Original
Message-ID: <Ogby7HyfGHA.3860@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.general
NNTP-Posting-Host: host217-37-28-250.in-addr.btopenworld.com 217.37.28.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.general:96738
X-Tomcat-NG: microsoft.public.windows.server.general

Hi,

I'm receiving the below error on our Windows 2003 server (sp1). I've
googled
Microsoft support, but the closest KB is 331333 http://tinyurl.com/onz9c
which isn't relevant to our problem, as we are not running an NT4 domain,
and the error code quoted (0x80090016) is different. The server is a
domain
controller, running Exchange 2003, and Live Communication Server 2005.
This
error occurs when restarting the LCS service, which is using a certificate
(web server template) for MTLS communication with Communicator Web Access,
(which isn't currently working).

Event Type: Error
Event Source: Schannel
Event Category: None
Event ID: 36870
Date: 24/05/2006
Time: 10:55:09
User: N/A
Computer: SVR02
Description:
A fatal error occurred when attempting to access the SSL client credential
private key. The error code returned from the cryptographic module is
0x8010002e.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Does anyone have any suggestions?

Cheers

Ben






.

Relevant Pages

  • RPC over HTTP, Microsoft solution
    ... Exchange Server 2003 RPC over HTTP Deployment Scenarios ... Place a check in the box next to 'Certificate Services' and click 'Yes' ...
    (microsoft.public.exchange.setup)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ...
    (microsoft.public.exchange.connectivity)
  • Re: Configuring SBS2003 for OWA and RWW
    ... And make sure certificate will not be ... On the Connection Type page, click Broadband, and then click Next. ... next to Preferred DNS server and next to ... If you are using ISA, please go to ISA management console, and navigate ...
    (microsoft.public.windows.server.sbs)
  • Re: Configuring LDAP on Entourage 2004 OS X
    ... Microsoft CSS Online Newsgroup Support ... does not work with a self signed SSL certificate OR with the SSL ... configure the System to allow OMA and "Server ActiveSync" access from the ... Configuring Exchange Server 2003 for Client Access. ...
    (microsoft.public.windows.server.sbs)
  • Re: Secure LDAP
    ... The certificate received from the remote server has not validated correctly. ... >>I know absolutely nothing about Novell LDAP, so I can't help you there. ... >>libraries) goes through the MS LDAP API and Schannel for SSL. ...
    (microsoft.public.windows.server.active_directory)