j-gray 37 Posted December 21, 2017 Share Posted December 21, 2017 I've noticed for some time multiple and frequent schannel errors and warnings on our ERA server (Win2012 R2) that point to the ERA Agent certificate. I'd like to know what the issue is and how to resolve it. I enabled additional logging on the server (even though IIS is not installed) which allowed me to see warnings generated by the clients: Log Name: System Source: Schannel Date: 12/21/2017 10:50:45 AM Event ID: 36877 Task Category: None Level: Warning Keywords: User: NETWORK SERVICE Computer: era server name here Description: The certificate received from the remote client application has not validated correctly. The error code is 0x80090325. The attached data contains the client certificate. The client certificate referenced is the one issued by our ERA server. As far as I can tell, there are no communication errors or issues with the clients otherwise. The other accompanying error on the server is: Log Name: System Source: Schannel Date: 12/21/2017 10:50:45 AM Event ID: 36888 Task Category: None Level: Error Keywords: User: SYSTEM Computer: era server name here Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960. Any information or thoughts on why this is happening and how to resolve it would be appreciated. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 383 Posted December 22, 2017 ESET Staff Share Posted December 22, 2017 The warning indicates that operating system does not trust peer certificate because it is missing CA certificate. I guess this is caused by fact that CA certificate it not installed in system, as it is required only to be present in ERA components - and that is why client is connecting, even when those errors are issued. This happens for all AGENT connections, or only specific? Is this AGENT actually connecting to ERA? Link to comment Share on other sites More sharing options...
j-gray 37 Posted December 22, 2017 Author Share Posted December 22, 2017 3 hours ago, MartinK said: The warning indicates that operating system does not trust peer certificate because it is missing CA certificate. I guess this is caused by fact that CA certificate it not installed in system, as it is required only to be present in ERA components - and that is why client is connecting, even when those errors are issued. This happens for all AGENT connections, or only specific? Is this AGENT actually connecting to ERA? Thanks for the reply. Sorry, though; I'm not clear on what needs to be done to resolve this issue. Agents all appear to be connecting to ERA Server. I can't tell which ones specifically are causing the above mentioned errors in the server Event Logs. I can tell you that there are around 500 errors every 24-hours and around 6,000 warnings every 24-hours specific to schannel. All the warnings reference the ERA client certificate. My assumption is that when an agent checks in with the ERA server it throws this error. Link to comment Share on other sites More sharing options...
j-gray 37 Posted January 4, 2018 Author Share Posted January 4, 2018 Any thoughts on how to resolve this? Link to comment Share on other sites More sharing options...
antoineL 0 Posted January 5, 2018 Share Posted January 5, 2018 Did you check whether the CA (Certification Authority) certificate of ERA is properly installed as Trusted Root Authority in the System (Computer) certificate store of the server? Alternatively, if you are concerned about least security allowance, this CA authority could be restricted to either Network Service account, or the ERA server service; but it should be allowed as trusted root somewhere for SChannel to be able to validate the incoming certificate presented by the agents without warning. Link to comment Share on other sites More sharing options...
Recommended Posts