SOLVED

LDAP SSL with Third-Party Certificate schannel event Id 36887 fatal alert 46

%3CLINGO-SUB%20id%3D%22lingo-sub-1845201%22%20slang%3D%22en-US%22%3ELDAP%20SSL%20with%20Third-Party%20Certificate%20schannel%20event%20Id%2036887%20fatal%20alert%2046%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1845201%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20use%20Mimecast%20anti-spam%20service%20and%20it%20has%20an%20AD%20Directory%20Connector%20using%20LDAP%20which%20has%20been%20functioning%20find%20for%20years%20using%20standard%20LDAP%20(not%20secure).%26nbsp%3B%20The%20are%20going%20to%20require%20secure%20so%20trying%20to%20get%20this%20configured.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirewall%20rules%20are%20setup%20to%20allow%3A%3C%2FP%3E%3CUL%3E%3CLI%3EAll%20Mimecast%20IP%20ranges%20to%20our%20Public%20IP%20and%20SMTP%20port.%3C%2FLI%3E%3CLI%3EAll%20Mimecast%20IP%20ranges%20to%20our%20Public%20IP%20and%20LDAP%20ports%20389%20and%20636%3C%2FLI%3E%3CLI%3EPort%20Forwarding%20for%20SMTP%20and%20LDAP%20ports%20to%20Exchange%20and%20DC%20as%20needed.%3C%2FLI%3E%3CLI%3EHave%20a%20third%20party%20certificate%20tied%20to%20the%20FQD%20of%20internal%20server%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Fxxx.ad.xxx.org%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EXXX.AD.XXX.ORG%3C%2FA%3E.%26nbsp%3B%20NOT%20using%20internal%20CA%20or%20certificate.%26nbsp%3B%20Used%20certificate%20via%20Starfield%20Secure%20Certificate%20Authority%20-%20G2%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMimecast%20setup%20as%20follows%20for%20encryption%3A%3C%2FP%3E%3CUL%3E%3CLI%3EDescription%20%3A%20XXX%20Directory%20Connection%3C%2FLI%3E%3CLI%3EType%20%3A%20Active%20Directory%20(LDAP)%3C%2FLI%3E%3CLI%3EHostname%20%2F%20IP%20Address%20%3A%20xx.xx.xx.xx%3C%2FLI%3E%3CLI%3EEncrypt%20Connection%20%3A%20checked%3C%2FLI%3E%3CLI%3EEncryption%20Mode%20%3A%20Strict%20-%20Trust%20Enforced%20(Since%20using%20a%20third%20party%20certificate)%3C%2FLI%3E%3CLI%3EConnection%20Port%20%3A%20636%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInternally%20I%20can%20use%20LDP%20and%20then%20do%20a%20SSL%20connection%20to%20the%20DC%20from%20different%20servers%20and%20PCs%20using%20the%20FQD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20when%20I%20do%20the%20test%20from%20Mimecast%20I%20get%20the%20following%20error%26nbsp%3Bon%20DC%20Server%202008%20R2%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELog%20Name%3A%26nbsp%3B%26nbsp%3B%26nbsp%3BSystem%3C%2FP%3E%3CP%3ESource%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BSchannel%3C%2FP%3E%3CP%3EDate%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B10%2F30%2F2020%205%3A14%3A47%20PM%3C%2FP%3E%3CP%3EEvent%20ID%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B36887%3C%2FP%3E%3CP%3ETask%20Category%3A%20None%3C%2FP%3E%3CP%3ELevel%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BError%3C%2FP%3E%3CP%3EKeywords%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EUser%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BSYSTEM%3C%2FP%3E%3CP%3EComputer%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Fxxxx.ad.xxxxxx.org%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EXXXX.AD.XXXXXX.ORG%3C%2FA%3E%3C%2FP%3E%3CP%3EDescription%3A%3C%2FP%3E%3CP%3EThe%20following%20fatal%20alert%20was%20received%3A%2046.%3C%2FP%3E%3CP%3EEvent%20Xml%3A%3C%2FP%3E%3CP%3E%3CEVENT%20xmlns%3D%22%26quot%3B%26lt%3BA%22%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fwin%2F2004%2F08%2Fevents%2Fevent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fwin%2F2004%2F08%2Fevents%2Fevent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fwin%2F2004%2F08%2Fevents%2Fevent%3C%2FA%3E%22%26gt%3B%3C%2FEVENT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3CSYSTEM%3E%3C%2FSYSTEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3CPROVIDER%20name%3D%22%26quot%3BSchannel%26quot%3B%22%20guid%3D%22%26quot%3B%7B1F678132-5938-4686-9FDC-C8FF68F15C85%7D%26quot%3B%22%3E%3C%2FPROVIDER%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3CEVENTID%3E36887%3C%2FEVENTID%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3CVERSION%3E0%3C%2FVERSION%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3CLEVEL%3E2%3C%2FLEVEL%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3CTASK%3E0%3C%2FTASK%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3COPCODE%3E0%3C%2FOPCODE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3CKEYWORDS%3E0x8000000000000000%3C%2FKEYWORDS%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3CTIMECREATED%20systemtime%3D%22%26quot%3B2020-10-30T21%3A14%3A47.482709400Z%26quot%3B%22%3E%3C%2FTIMECREATED%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3CEVENTRECORDID%3E929705%3C%2FEVENTRECORDID%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3CCORRELATION%3E%3C%2FCORRELATION%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3CEXECUTION%20processid%3D%22%26quot%3B508%26quot%3B%22%20threadid%3D%22%26quot%3B1180%26quot%3B%22%3E%3C%2FEXECUTION%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3CCHANNEL%3ESystem%3C%2FCHANNEL%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3CCOMPUTER%3E%3CA%20href%3D%22http%3A%2F%2Fxxxx.ad.xxxxxx.org%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EXXXX.AD.XXXXXX.ORG%3C%2FA%3E%3C%2FCOMPUTER%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3CSECURITY%20userid%3D%22%26quot%3BS-1-5-18%26quot%3B%22%3E%3C%2FSECURITY%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3CEVENTDATA%3E%3C%2FEVENTDATA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3CDATA%20name%3D%22%26quot%3BAlertDesc%26quot%3B%22%3E46%3C%2FDATA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20would%20be%20greatly%20appreciated!%3C%2FP%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1845201%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1846119%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20SSL%20with%20Third-Party%20Certificate%20schannel%20event%20Id%2036887%20fatal%20alert%2046%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1846119%22%20slang%3D%22en-US%22%3E%3CP%3EI%20decided%20to%20use%20Network%20Monitor%20to%20look%20at%20things...%20not%20that%20I%20would%20fully%20follow%20it.%26nbsp%3B%20Here%20are%20some%20images%20from%20this%3A%3C%2FP%3E%0A%3CP%3EFirst%20image%20is%20a%20Successful%20test%20connection%20from%20External%20Mimecast%20to%20internal%20DC%20with%20no%20SSL%2C%20just%20standard%20LDAP%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Success-External-Mimecast-To-DC-NoSSL.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F230948iBC28A9317EF5B18D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Success-External-Mimecast-To-DC-NoSSL.png%22%20alt%3D%22Success-External-Mimecast-To-DC-NoSSL.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ESecond%20image%20is%20successful%20test%20connection%20using%20LDP%20on%20internal%20server%20to%20DC%20using%20SSL%20LDAP%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Success-LDP-To-DC-SSL.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F230949i3986BEAA22C277B0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Success-LDP-To-DC-SSL.png%22%20alt%3D%22Success-LDP-To-DC-SSL.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ELast%20image%20is%20the%20failed%20test%20connection%20from%20external%20Mimecast%20to%20internal%20DC%20using%20LDAP%20and%20SSL%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Failed-External-Mimecast-To-DC-SSL.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F230950i986D11AECC7B6617%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Failed-External-Mimecast-To-DC-SSL.png%22%20alt%3D%22Failed-External-Mimecast-To-DC-SSL.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20I%20ultimately%20see%20is%20after%20the%20initial%20handshake%20it%20leads%20to%20a%20TLS%20Rec%20Layer-1%20Encryption%20Alert.%26nbsp%3B%20But%20not%20sure%20what%20that%20really%20means%20and%20how%20to%20fix%20it.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGreg%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

We use Mimecast anti-spam service and it has an AD Directory Connector using LDAP which has been functioning find for years using standard LDAP (not secure).  The are going to require secure so trying to get this configured.

 

Firewall rules are setup to allow:

  • All Mimecast IP ranges to our Public IP and SMTP port.
  • All Mimecast IP ranges to our Public IP and LDAP ports 389 and 636
  • Port Forwarding for SMTP and LDAP ports to Exchange and DC as needed.
  • Have a third party certificate tied to the FQD of internal server XXX.AD.XXX.ORG.  NOT using internal CA or certificate.  Used certificate via Starfield Secure Certificate Authority - G2

 

Mimecast setup as follows for encryption:

  • Description : XXX Directory Connection
  • Type : Active Directory (LDAP)
  • Hostname / IP Address : xx.xx.xx.xx
  • Encrypt Connection : checked
  • Encryption Mode : Strict - Trust Enforced (Since using a third party certificate)
  • Connection Port : 636

 

Internally I can use LDP and then do a SSL connection to the DC from different servers and PCs using the FQD.

 

However when I do the test from Mimecast I get the following error on DC Server 2008 R2:

 

Log Name:   System

Source:    Schannel

Date:     10/30/2020 5:14:47 PM

Event ID:   36887

Task Category: None

Level:     Error

Keywords:    

User:     SYSTEM

Computer:   XXXX.AD.XXXXXX.ORG

Description:

The following fatal alert was received: 46.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

 <System>

  <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />

  <EventID>36887</EventID>

  <Version>0</Version>

  <Level>2</Level>

  <Task>0</Task>

  <Opcode>0</Opcode>

  <Keywords>0x8000000000000000</Keywords>

  <TimeCreated SystemTime="2020-10-30T21:14:47.482709400Z" />

  <EventRecordID>929705</EventRecordID>

  <Correlation />

  <Execution ProcessID="508" ThreadID="1180" />

  <Channel>System</Channel>

  <Computer>XXXX.AD.XXXXXX.ORG</Computer>

  <Security UserID="S-1-5-18" />

 </System>

 <EventData>

  <Data Name="AlertDesc">46</Data>

 </EventData>

</Event>

 

Any help would be greatly appreciated!

2 Replies
Highlighted

I decided to use Network Monitor to look at things... not that I would fully follow it.  Here are some images from this:

First image is a Successful test connection from External Mimecast to internal DC with no SSL, just standard LDAP:

Success-External-Mimecast-To-DC-NoSSL.png

 

Second image is successful test connection using LDP on internal server to DC using SSL LDAP:

Success-LDP-To-DC-SSL.png

 

Last image is the failed test connection from external Mimecast to internal DC using LDAP and SSL:

Failed-External-Mimecast-To-DC-SSL.png

 

What I ultimately see is after the initial handshake it leads to a TLS Rec Layer-1 Encryption Alert.  But not sure what that really means and how to fix it.


Greg

Highlighted
Best Response confirmed by tbgsaunders (New Contributor)
Solution

Ok folks,

There was a setting on Mimecast called Encryption Mode allowing Relaxed OR Strict.

Their notes state:

If the "Encrypt Connection" option is checked, specify one of the following encryption modes:
Encryption Mode Description
Strict - Trust Enforced This mode requires a certificate issued by a Mimecast trusted public root certification authority, and a key length greater than 1024 bits to be installed on your domain controller.
Relaxed This mode must be used if your certificate is self-signed, has a key length of less than 1024 bits, or has an incomplete trust chain.

 

Not sure why it was required as Strict should have worked, but we are up and going now.

Greg