Ruling out SCOM as the cause of SCHANNEL events
Ruling out SCOM notifications as the cause of SCHANNEL events
Still getting SCHANNEL error events and want to rule out SCOM
Management pack SQL events https://blogs.technet.microsoft.com/kevinjustin/2017/11/08/sql-native-client-for-tls1-2/
SCHANNEL ciphers debugged https://blogs.technet.microsoft.com/kevinjustin/2017/11/08/schannel-event-logging/
What command Channels are setup for notifications?
Validate Subscriptions aren't the cause for email/text
Exchange 2013 and above typically use S/MIME to digitally sign/encrypt messages
Email communication can cause System 36871 events https://support.microsoft.com/en-us/help/305088/schannel-error-message-36871-when-receiving-an-ehlo-smtp-command
Do the events correlate with emailed alerts?
Tracing Notifications https://blog.scomskills.com/enable-tracing-of-the-notification-component-om07/
SCOM ETL traces
Run traces on suspect MS
2012R2 MS (adjust drive letter according to drive SCOM install)
cd "D:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server\Tools"
2012R2 GW (adjust drive letter according to drive SCOM install)
cd "C:\Program Files\System Center Operations Manager\Gateway\Tools"
cd 'C:\Program Files\Microsoft System Center 2016\Operations Manager\Server\Tools\'
# Stop Tracing
# Clean up old files
# Start Traces
TraceLogSM.exe -stop TracingGuidsNative
TraceLogSM.exe -stop TracingGuidsUI
# Wait until notification fires and validate if 36871 SCHANNEL event ID is logged
# Stop and format the trace
# Review txt files from C:\windows\Logs\OpsMgrTrace