Periodically, we notice Microsoft Server events get flooded with schannel critical events.  Depending on the environment, these can be transient errors.  On one occasion, one of our customer servers received thousands of SChannel events every hour while its virtual machine clone received none.

Make sure to evaluate your environment and verify you support the appropriate protocols, cipher suites and algorithms.  SChannel errors may be an indication of server-client cert negotiation problems.  Qualys provides a great tool to evaluate negotiation at secure endpoints: https://www.ssllabs.com/ssltest/analyze.html

If you determine the events are transient, you can disable schannel event logging with a registry change:

  1. Start Registry Editor, run regedit
  2. Locate the following key:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
  3. Click Add Value, then add the following registry value:
    Value Name: EventLogging
    Data Type: REG_DWORD
    Value: 0x0000

    0x0000 designates to not log SChannel messages.  See the table in the “Logging options” for possible values.

  4. Exit Registry Editor.
  5. Restart the server to apply the registry change.

Logging Registry Values

Value Description
0x0000  Do not log
0x0001  Log error messages
0x0002  Log warnings
0x0004  Log informational and success events

The transient errors we received in Windows Server 2012 and IIS 8 showed schannel 36888 fatal alert 10.

SChannel-Logging-Event-Registry-Entry