question

CliffHorner-2029 avatar image
0 Votes"
CliffHorner-2029 asked RogerEastman-9273 answered

TLS 1.2 Connection Request - Error 36874

Hi, I have a clean install of Server 2019 Standard and have worked through the various errors I was getting. However I am left with one error I cant seem to fix.

The error is:-

Error ID 36874 - An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.

Is it a simple case of enabling TLS 1.2 on my server? If yes, how do I do this?

Secondly, theses errors occur when there are no client PC's turned on e.g. in the early hours of the morning. Is this someone trying to connect remotely to the PC? a hacker?

or finally, should I just ignore this and worry about something else? haha

Any help or guidance would be much appreciated.

Regards,
Cliff

windows-server-2019
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Have you checked if the answers help?

If the Answer is helpful, please click "Accept Answer" and upvote it.

Thanks,
Eleven

0 Votes 0 ·

Hi Cliff,

You mentioned you found it.
Could you share your solution to this?

I have a server which enters 3 times a day a lot of 36874 logs.

Thanks in Advance.

Jack

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick edited

Something here may help.
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-12


--please don't forget to Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ElevenYu-MSFT avatar image
1 Vote"
ElevenYu-MSFT answered

Hi,

If you would like to enable TLS 1.2, you could refer to DSPatrick's link or below link.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)?redirectedfrom=MSDN#tls-12

If you would like to figure out which applicaiton called out the TLS 1.2 connection, you could install Network Monitor or Process Monitor for further analysis.

Network Monitor - https://www.microsoft.com/en-sg/download/details.aspx?id=4865
Process Monitor - https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

Hope the information helps.

Thanks,
Eleven


If the Answer is helpful, please click "Accept Answer" and upvote it.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CliffHorner-2029 avatar image
0 Votes"
CliffHorner-2029 answered

I think with your help I might have fixed it! Well the error has not appeared in almost 20 hours.

As suggested I enabled TLS1.2 in the registry. It didn't work at first as I never added the 'DisabledByDefault' key. I read that Server 2008 needed it so I figured maybe Server 2019 needs it.

After adding that key I have not seen the error return.

Still no idea what was trying to connect to it. I ran the Process Monitor tool but this was after adding the additional key.

I will mark the answers above as 'Accepted' but will keep an eye on it for a few more days.

Thanks for all your help.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Glad to hear, you're welcome.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CliffHorner-2029 avatar image
0 Votes"
CliffHorner-2029 answered

Unfortunately the error present itself again in the early hours of this morning.

Error 36874 Schannel An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.

Any more ideas on what I can try?

Regards.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

What roles / applications are installed?


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CliffHorner-2029 avatar image
0 Votes"
CliffHorner-2029 answered JackLamers-4334 published

Hi,

I found a small application called IISCrypto that sets all the correct parameters for TLS. I ran that yesterday but got the same error twice in the early hours of this morning.

The Roles running on the server are:-

ADDS
DHCP
DNS
File and Storage Services
IIS
Remote Access
WSUS

The only other error the server throws is Terminal Services 1111 when I connect to the server. Think its to do with Printer drivers etc. Not looked at solving that yet. Update - Think I have just fixed this one!

Other than that the Event Log is clear.

Regards.




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered CliffHorner-2029 commented

Glad to hear its sorted.






· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sorry, i may have mislead. Its the Terminal Services error I have resolved, not the TLS issue.

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered CliffHorner-2029 edited

The roles may be somewhat conflicting. Running IIS on a domain controller is not recommended. I could see spitting the mentioned roles across 3 or 4 windows instances. One option may be to install Hyper-V role on host, then stand up virtual machines for different roles. At least get active directory domain services on its own instance of windows.




· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi DSPatrick,

Sorry to revive this thread but I have been thinking about what you said ref. Hyper-V role.

If I install the role and add two virtual machines, do I need two more licence keys or can I use the same as the host machine?

Would it be best to leave the host as the DC and move say DNS onto its own server? Or move ADDS onto one virtual server and DNS on another Virtual server and leave everything else on the host?

Finally (sorry for questions) if I go down this route how much memory is the norm to allocate to each VM? (I have 96GB in the host)

Thank you for your help.

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick edited

Based on what you listed four virtual machines minimum

  • ADDS, DHCP, DNS

  • File and Storage Services, WSUS

  • IIS

  • Remote Access

Some general info on hyper-v licensing
- A minimum of 8 core licenses is required for each physical processor and a minimum of 16 core licenses is required for each server.
- Core licenses are sold in packs of two.
- Standard Edition provides rights for up to 2 Operating System Environments or Windows Servers containers with Hyper-V isolation when all physical cores in the server are licensed. For each additional 1 or 2 VMs, all the physical cores in the server must be licensed again.
- DataCenter Edition provides rights for unlimited Operating System Environments or Windows Servers containers with Hyper-V isolation when all physical cores in the server are licensed.
- AVMA keys can be used only when the host is DataCenter edition


https://download.microsoft.com/download/7/C/E/7CED6910-C7B2-4196-8C55-208EE0B427E2/Windows_Server_2019_licensing_datasheet_EN_US.pdf






5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.