Microsoft
MicrosoftI originally interpreted that as meaning that 36871 is logged when a remote machine attempts to connect to the server using TLS 1.0 or 1.1. Does it mean, instead, that when an application starts up on the server and it attempts to create a TLS 1.0 or 1.1 credential then 36871 is logged?
This is correct, failure to create a credential is logged on the machine where the credential is being created, client or server. Unfortunately the doc description specific to SMTP is outdated, Event 36871 is generic to SSPI. The internal error state 10013 in the sample event indicates that the failure to create a credential is due to a mismatch of application-specified protocols and enabled system protocol versions, such as TLS 1.0 or TLS 1.1.
For remote client connections failing due to TLS version mismatch with the server, there is a different warning event generated (e.g., Event 36874). It is not very helpful for analysis, other than statistical measurement of failures, because we don’t know where the connection came from (no networking details) or if it was specific to TLS 1.0/1.1 or a mismatch of cipher suites.
If HTTP.SYS/IIS is used on the server, HTTP.SYS logs will identify the IP address of the failing remote peer. This may be a better option for your use case.
I hope this helps! And thank you for the feedback, I will take a note to clarify the event log details in our permanent MSLearn page for this content, as well as ensure the Schannel Event log descriptions are up-to-date.