Schannel: Certificate received from the remote server was issued by an untrusted certificate authority

windows-server-2008 ssl sql-server-2005 windows-event-log
54,040

Solution 1

You probably receive this error because a program (SQL Server in your case?) is trying to access a remote resource over an SSL connection but, the SSL certificate used by this remote resource is not trusted by your server.

To find which remote resource your server is trying to access, in Event Viewer, open the Details tab of the event (use the Friendly View). Here the EventData contains the SSL certificate received.

To understand the EventData, scroll down until you see the section In Bytes. Here on the right the Event Viewer decodes the data in text and you should be able to see among all these weird characters a URL, a userPrincipalName, or something like that.

Note: in my case (test lab), my server was trying to access something on my domain controller. Adding the certificate of my DC to the trusted root store solved the problem.

Solution 2

I just saw on Microsoft's site that this is a known issue all the way back to Windows 7. It must still be an issue since the article was just updated a few days ago. Their answer is to turn off Schannel logging and that "this will be fixed in a future release."

Solution 3

Unless you've got a certificate configured for the SQL Server it isn't the SQL Server that is generating the error. It's coming from something else on the system.

Share:
54,040

Related videos on Youtube

Tim Schmelter
Author by

Tim Schmelter

Updated on September 18, 2022

Comments

  • Tim Schmelter
    Tim Schmelter almost 2 years

    i'm not sure whether to ask this on dba.stackexchange.com or here.

    Periodically following error is logged in Windows Server 2008 Administrative events:

    The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.

    Log Name: System
Source: Schannel

    Followed by:

    The following fatal alert was generated: 48. The internal error state is 552.

    Log Name: System
Source: Schannel

    If i change the Force Encryption property in SQL-Server Configuration from "No" to "Yes"(see image below) the error would not be logged anymore.

    Force Encryption

    But i don't really need SSL-Encryption since all connections are trusted(from intranet) and ports 1333 and 1334 are firewalled from internet.

    Would it be a performance impact if i would force encryption and generate a server certificate, is it recommended at all in my situation? I don't want to enforce encryption only to prevent from some event logs if it not even causes serious connection problems(where can i see which connection has caused it?).

    Q: Can somebody please explain why these errors are raised and wherefrom?

  • Tim Schmelter
    Tim Schmelter over 12 years
    Thanks. No, i haven't configured a certificate for SQL-Server since i not really wanted to force encryption, but when i do so(set "force encryption" to 'yes' even if i haven't created a certificate) this error would not be raised.
  • Ryan Ferretti
    Ryan Ferretti over 12 years
    If there isn't a cert then setting force encryption to yes won't do anything. Also this setting doesn't apply until you restart the database engine. Configuring encryption will increase the CPU load on the server if you did decide to turn it on.
  • Tim Schmelter
    Tim Schmelter over 12 years
    But doesn't the errror indicates that a client does not trust the server and not vice versa? I would prefer not to use encryption and this article indicates that one option to prevent this error would be to disable ForceEncryption, but exactly this setting seems to cause this issue. Edit: I have restarted the server after i've changed the setting. Where can i check if a certificate is installed? Maybe that with ForceEncryption='no' causes the error.
  • Ryan Ferretti
    Ryan Ferretti over 12 years
    Just because the machine is a server doesn't mean that it isn't a client. If there was a problem verifying the info to the Windows update server (or your WSUS server) you'd see this. If someone uses the web browser to browse a site with a bad cert you'll see the error. Use MMC and add in the certificates snapin. Having a cert installed with Force Encryption to no doesn't do anything. As you have force Encryption set to no that KB doesn't apply to you. If you have a bad cert this error will be on the client computer not the SQL Server.
  • Michael Hampton
    Michael Hampton almost 4 years
    The link is missing. Please edit your post and add the link.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Identify and disable weak cipher suites Windows server 2008 / IIS 7
Manually create Private RSA Key from Text file? To be used with SSL for IIS7
windows event log forwarding permission
How to configure AD server for client TLS authentication
How to disable SSL/TLS compression in Apache 2.2.16?
Server 2008 R2, Exchange 2010, WMI error event 10
Exchange 2010, Event 3145 MSEXCHANGEREPL error
“Login failed for user ‘NT AUTHORITY\ANONYMOUS LOGON’.” to SQL Server 2005
Account lockouts not in Event Viewer
SQL Server 2014 Disable SSL/TLS