Event ID: 36870 - Schannel / cryptographic module

Hi,

I'm receiving the below error on our Windows 2003 server (sp1). I've googled
Microsoft support, but the closest KB is 331333 http://tinyurl.com/onz9c
which isn't relevant to our problem, as we are not running an NT4 domain,
and the error code quoted (0x80090016) is different. The server is a domain
controller, running Exchange 2003, and Live Communication Server 2005. This
error occurs when restarting the LCS service, which is using a certificate
(web server template) for MTLS communication with Communicator Web Access,
(which isn't currently working).

Event Type: Error
Event Source: Schannel
Event Category: None
Event ID: 36870
Date: 24/05/2006
Time: 10:55:09
User: N/A
Computer: SVR02
Description:
A fatal error occurred when attempting to access the SSL client credential
private key. The error code returned from the cryptographic module is
0x8010002e.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Does anyone have any suggestions?

Cheers

Ben

[Steven Wang [MSFT]]

Hi Ben,

Thank you for posting here.

If the certificate is not considered valid by the schannel provider, the
schannel provider will reject the cert if one of the following validation
problems exists:

1. The root to which the LDAPS / DC Cert is not trusted
2. The DC is not able to validate that the CA is trusted (cannot build a
trust chain)
3. The certificate is expired
4. The certificate is revoked

Please determine if the certificate is failing validation checking by using
certutil from Windows Server 2003 and correct the issues that certutil
reports (expired CRL, server isn't reachable on the network, CRL isn't
published to the location as expected, etc.)

For more information, please refer to the following article.

825061 Certificate Services Does Not Start After You Upgrade to Windows 2000
http://support.microsoft.com/?id=825061

Also, you may use the "dsstore -dcmon" command and look at a verbose
display. Then, correct the trust chain on the certificate that you are
using for schannel.

For more information about the Directory Services Store Tool, please refer
to the following article.

313197 HOW TO: Use the Directory Services Store Tool to Add a Non-Windows
2000
http://support.microsoft.com/?id=313197

Hope this helps. If anything is unclear or you have any concerns, please
feel free to post back. I am glad to be of assistance.

Best regards,

Steven Wang
Microsoft Online Support


--------------------
>Reply-To: <benblackmore@nospam.postalias>
>From: <benblackmore@nospam.postalias>
>Subject: Event ID: 36870 - Schannel / cryptographic module
>Date: Wed, 24 May 2006 12:05:33 +0100
>Lines: 33
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
>X-RFC2646: Format=Flowed; Original
>Message-ID: <Ogby7HyfGHA.3860@TK2MSFTNGP02.phx.gbl>
>Newsgroups: microsoft.public.windows.server.general
>NNTP-Posting-Host: host217-37-28-250.in-addr.btopenworld.com 217.37.28.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.general:96738
>X-Tomcat-NG: microsoft.public.windows.server.general
>
>Hi,
>
>I'm receiving the below error on our Windows 2003 server (sp1). I've
googled
>Microsoft support, but the closest KB is 331333 http://tinyurl.com/onz9c
>which isn't relevant to our problem, as we are not running an NT4 domain,
>and the error code quoted (0x80090016) is different. The server is a
domain
>controller, running Exchange 2003, and Live Communication Server 2005.
This
>error occurs when restarting the LCS service, which is using a certificate
>(web server template) for MTLS communication with Communicator Web Access,
>(which isn't currently working).
>
>Event Type: Error
>Event Source: Schannel
>Event Category: None
>Event ID: 36870
>Date: 24/05/2006
>Time: 10:55:09
>User: N/A
>Computer: SVR02
>Description:
>A fatal error occurred when attempting to access the SSL client credential
>private key. The error code returned from the cryptographic module is
>0x8010002e.
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>
>Does anyone have any suggestions?
>
>Cheers
>
>Ben
>
>
>

Hi Steven,

Thank you for replying.

The certificate is valid, it doesn't expire until 2008, and is hasn't be
revoked.

I'm trying to use the certutil to check the certificate/crl setting, but I'm
having a bit of a problem, when I run "certutil -getcrl -config
server\domain ca" i get an error saying invalid parameter, I assume this is
because of the name of our CA (Domain CA, with a space) so I have put quotes
around it, -config 'server\domain ca' but when I run this, I get an error
'The RPC server is unavailable' I don't know if this is an error with the
command I'm putting in, if it can't find the ca, or if there actually a
problem with RPC, which could be causing the schannel error. Is it OK to use
quotes around the ca parameter?

The CA is our main domain controller dcsvr1, this error is appearing on our
2nd DC, exchsvr1, domain traffic is moving between the 2 happily, no DNS,
directory service or NTFRS error appear in the event logs.

Could this RPC error be the cause?

Ben

"Steven Wang [MSFT]" <v-stwang@online.microsoft.com> wrote in message
news:RfVmI39fGHA.1740@TK2MSFTNGXA01.phx.gbl...
> Hi Ben,
>
> Thank you for posting here.
>
> If the certificate is not considered valid by the schannel provider, the
> schannel provider will reject the cert if one of the following validation
> problems exists:
>
> 1. The root to which the LDAPS / DC Cert is not trusted
> 2. The DC is not able to validate that the CA is trusted (cannot build a
> trust chain)
> 3. The certificate is expired
> 4. The certificate is revoked
>
> Please determine if the certificate is failing validation checking by
> using
> certutil from Windows Server 2003 and correct the issues that certutil
> reports (expired CRL, server isn't reachable on the network, CRL isn't
> published to the location as expected, etc.)
>
> For more information, please refer to the following article.
>
> 825061 Certificate Services Does Not Start After You Upgrade to Windows
> 2000
> http://support.microsoft.com/?id=825061
>
> Also, you may use the "dsstore -dcmon" command and look at a verbose
> display. Then, correct the trust chain on the certificate that you are
> using for schannel.
>
> For more information about the Directory Services Store Tool, please refer
> to the following article.
>
> 313197 HOW TO: Use the Directory Services Store Tool to Add a Non-Windows
> 2000
> http://support.microsoft.com/?id=313197
>
> Hope this helps. If anything is unclear or you have any concerns, please
> feel free to post back. I am glad to be of assistance.
>
> Best regards,
>
> Steven Wang
> Microsoft Online Support
>
>
> --------------------
>>Reply-To: <benblackmore@nospam.postalias>
>>From: <benblackmore@nospam.postalias>
>>Subject: Event ID: 36870 - Schannel / cryptographic module
>>Date: Wed, 24 May 2006 12:05:33 +0100
>>Lines: 33
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
>>X-RFC2646: Format=Flowed; Original
>>Message-ID: <Ogby7HyfGHA.3860@TK2MSFTNGP02.phx.gbl>
>>Newsgroups: microsoft.public.windows.server.general
>>NNTP-Posting-Host: host217-37-28-250.in-addr.btopenworld.com 217.37.28.250
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.general:96738
>>X-Tomcat-NG: microsoft.public.windows.server.general
>>
>>Hi,
>>
>>I'm receiving the below error on our Windows 2003 server (sp1). I've
> googled
>>Microsoft support, but the closest KB is 331333 http://tinyurl.com/onz9c
>>which isn't relevant to our problem, as we are not running an NT4 domain,
>>and the error code quoted (0x80090016) is different. The server is a
> domain
>>controller, running Exchange 2003, and Live Communication Server 2005.
> This
>>error occurs when restarting the LCS service, which is using a certificate
>>(web server template) for MTLS communication with Communicator Web Access,
>>(which isn't currently working).
>>
>>Event Type: Error
>>Event Source: Schannel
>>Event Category: None
>>Event ID: 36870
>>Date: 24/05/2006
>>Time: 10:55:09
>>User: N/A
>>Computer: SVR02
>>Description:
>>A fatal error occurred when attempting to access the SSL client credential
>>private key. The error code returned from the cryptographic module is
>>0x8010002e.
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>
>>Does anyone have any suggestions?
>>
>>Cheers
>>
>>Ben
>>
>>
>>
>

Steven,

Where is the dsstore util located? I have the Windows 2003 support tools &
resource kit installed, but neither contain dsstore.exe, MS website says
it's part of the 2000 resource kit security tools, but I can't find the 2000
resource kit to download.

Cheers

Ben

"Steven Wang [MSFT]" <v-stwang@online.microsoft.com> wrote in message
news:RfVmI39fGHA.1740@TK2MSFTNGXA01.phx.gbl...
> Hi Ben,
>
> Thank you for posting here.
>
> If the certificate is not considered valid by the schannel provider, the
> schannel provider will reject the cert if one of the following validation
> problems exists:
>
> 1. The root to which the LDAPS / DC Cert is not trusted
> 2. The DC is not able to validate that the CA is trusted (cannot build a
> trust chain)
> 3. The certificate is expired
> 4. The certificate is revoked
>
> Please determine if the certificate is failing validation checking by
> using
> certutil from Windows Server 2003 and correct the issues that certutil
> reports (expired CRL, server isn't reachable on the network, CRL isn't
> published to the location as expected, etc.)
>
> For more information, please refer to the following article.
>
> 825061 Certificate Services Does Not Start After You Upgrade to Windows
> 2000
> http://support.microsoft.com/?id=825061
>
> Also, you may use the "dsstore -dcmon" command and look at a verbose
> display. Then, correct the trust chain on the certificate that you are
> using for schannel.
>
> For more information about the Directory Services Store Tool, please refer
> to the following article.
>
> 313197 HOW TO: Use the Directory Services Store Tool to Add a Non-Windows
> 2000
> http://support.microsoft.com/?id=313197
>
> Hope this helps. If anything is unclear or you have any concerns, please
> feel free to post back. I am glad to be of assistance.
>
> Best regards,
>
> Steven Wang
> Microsoft Online Support
>
>

[Steven Wang [MSFT]]

Hi Ben,

Thanks for your prompt reply.

Based on my further research, it seems that using "dsstore -dcmon" command
should be able to resolve this issue.

There is not public download link for the Dsstore.exe tool, you may let me
know your email address, and then I can send this tool to you. You may
send an email to me at v-stwang@microsoft.com.

Best regards,

Steven Wang

--------------------
>Reply-To: <benblackmore@nospam.postalias>
>From: <benblackmore@nospam.postalias>
>References: <Ogby7HyfGHA.3860@TK2MSFTNGP02.phx.gbl>
<RfVmI39fGHA.1740@TK2MSFTNGXA01.phx.gbl>
>Subject: Re: Event ID:36870 - Schannel / cryptographic module
>Date: Thu, 25 May 2006 13:14:29 +0100
>Lines: 61
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
>X-RFC2646: Format=Flowed; Original
>Message-ID: <uvNlHT$fGHA.3996@TK2MSFTNGP03.phx.gbl>
>Newsgroups: microsoft.public.windows.server.general
>NNTP-Posting-Host: host217-37-28-250.in-addr.btopenworld.com 217.37.28.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.general:96841
>X-Tomcat-NG: microsoft.public.windows.server.general
>
>Steven,
>
>Where is the dsstore util located? I have the Windows 2003 support tools &
>resource kit installed, but neither contain dsstore.exe, MS website says
>it's part of the 2000 resource kit security tools, but I can't find the
2000
>resource kit to download.
>
>Cheers
>
>Ben
>
>"Steven Wang [MSFT]" <v-stwang@online.microsoft.com> wrote in message
>news:RfVmI39fGHA.1740@TK2MSFTNGXA01.phx.gbl...
>> Hi Ben,
>>
>> Thank you for posting here.
>>
>> If the certificate is not considered valid by the schannel provider, the
>> schannel provider will reject the cert if one of the following validation
>> problems exists:
>>
>> 1. The root to which the LDAPS / DC Cert is not trusted
>> 2. The DC is not able to validate that the CA is trusted (cannot build a
>> trust chain)
>> 3. The certificate is expired
>> 4. The certificate is revoked
>>
>> Please determine if the certificate is failing validation checking by
>> using
>> certutil from Windows Server 2003 and correct the issues that certutil
>> reports (expired CRL, server isn't reachable on the network, CRL isn't
>> published to the location as expected, etc.)
>>
>> For more information, please refer to the following article.
>>
>> 825061 Certificate Services Does Not Start After You Upgrade to Windows
>> 2000
>> http://support.microsoft.com/?id=825061
>>
>> Also, you may use the "dsstore -dcmon" command and look at a verbose
>> display. Then, correct the trust chain on the certificate that you are
>> using for schannel.
>>
>> For more information about the Directory Services Store Tool, please
refer
>> to the following article.
>>
>> 313197 HOW TO: Use the Directory Services Store Tool to Add a Non-Windows
>> 2000
>> http://support.microsoft.com/?id=313197
>>
>> Hope this helps. If anything is unclear or you have any concerns, please
>> feel free to post back. I am glad to be of assistance.
>>
>> Best regards,
>>
>> Steven Wang
>> Microsoft Online Support
>>
>>
>
>
>