~ Arun Kumar | Support Escalation Engineer
If you have a web site hosted on a server that only supports TLS 1.2 as a secure protocol for communication, when you try to monitor the site using an Operations Manager watcher node running on an operating system that has TLS1.0/RC4 enabled, (e.g. Windows Server 2012 RTM or Windows 8 RTM), the watcher node may fail to monitor the site. The error code you see might be different depending on how the SSL handshake takes place. For example:
The Schannel event log will also contain the following events:
Log Name: System
Source: Schannel
Date:
Event ID: 36887
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: watchernode.contoso.com
Description:
The following fatal alert was received: 40
and
Log Name: System
Source: Schannel
Date:
Event ID: 36871
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: watchernode.contoso.com
Description:
A fatal error occurred while creating an SSL client credential. The internal error state is 10013
What’s typically happening when you see these symptoms is that the SSL handshake between the watcher node and the website is failing because the watcher node is trying to negotiate Latest Ciphers/TLS 1.0 and the website only supports RC4/TLS1.2 respectively.
This is related to the following Microsoft Security Advisory:
Microsoft Security Advisory 2868725
While it is possible to enable RC4 on the web server, a better and more secure work around in this scenario is to disable RC4 on the watcher node and move to new ciphers like AES-GCM and TLS 1.2 instead on the web servers.
For more information see the following article on the Microsoft Security Research and Defense Blog:
Security Advisory 2868725: Recommendation to disable RC4
Arun Kumar | Support Escalation Engineer | Microsoft GBS Management and Security Division
Get the latest System Center news on Facebook and Twitter :
System Center All Up: http://blogs.technet.com/b/systemcenter/
Configuration Manager Support Team blog:
http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog:
http://blogs.technet.com/dpm/
Orchestrator Support Team blog:
http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog:
http://blogs.technet.com/momteam/
Service Manager Team blog:
http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog:
http://blogs.technet.com/scvmm
The Forefront Endpoint Protection blog :
http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog :
http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog:
http://blogs.technet.com/b/isablog/
The Forefront UAG blog:
http://blogs.technet.com/b/edgeaccessblog/
System Center 2012 Operations Manager System Center 2012 R2 Operations Manager OpsMgr 2012 R2
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.