Community + IE11 = Schannel Errors
After I upgraded IE to v11 some weeks ago I get lots of Schannel Errors in Windows Event log. I believe it's because this website switches between HTTPS and HTTP. As soon as I go to the Log In page it begins, and it continues after I'm logged in. Can someone who uses IE11 check the Event Viewer logs?
This is after only spending a couple of hours in the community:
The detailed description doesn't say much:
The following fatal alert was generated: 40. The internal error state is 252.
Execution Process: lsass.exe
Since I'm drowning in these errors it's difficult to find other more critical errors.
The only different configuration I have is security setting set to High, and I use Trusted Sites as Medium. I have *.f-secure.com incl. Lithium and others needed.
This configuration worked perfectly with IE10.
Comments
-
Another try..... Can someone who uses this community with Internet Explorer 11 just quickly test this:
Windows Start, search for Event Viewer. Or right-click Computer, Manage, Event Viewer.
Then expand the Event Type "Error", and see if you have any rows with Source=Schannel. Any errors in the last 7 days?
-
-
-
Thanks for trying, but there's no difference (I think)
Is it just me who are getting these errors with IE11? Or maybe no one else checks the Event Viewer/Windows Logs?!
I am now convinced it's because the community uses HTTPS during Log In/Out, and only HTTP for browsing and posting.
It's very easy to reproduce: go to the community and log in. That's it. If you log out you get more errors.
-
Thanks Simon! It only applies to IE11. There was no problem in IE10.
Start IE, go to this community and log in. Then log out.
Then Windows Start, search for "Event Viewer".
Or right-click Computer, Manage, Event Viewer. (don't know if Windows 8 is different)
In Event Viewer, expand the Event Type "Error", and see if you have any rows with Source=Schannel and Event ID=36888.
See screenshot from my second post in this thread.
-
Thanks Simon! Then as I assumed probably all who uses IE11 gets these errors. They just don't know about it.
I see you get more details than me about the error:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 252.
BTW, don't think I mentioned it before but Schannel means Secure Channel. And TLS is Transport Layer Security.
-
-
-
Some research indicates this is because TLS 1.2 is enabled by default in IE11:
I've verified that these errors only appear when the advanced IE setting "Use TLS 1.2" is checked. However, that's checked by default in IE11 as it improves connection security, so I guess there's a problem with the log in functionality for this community fully supporting TLS 1.2
The error (as mentioned before) is:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 252.
PS. To reproduce you don't even have to log in. Just click the log in link. That causes the protocol to switch from HTTP to HTTPS and trigger these errors.
-
-
Update: I tried logging in to SAS (Sample Analysis System) as a comparison and I don't get any Schannel Errors there. The interesting thing with that is that SAS is also a log in to an F-Secure service. So a tip is to look at what is different with the SAS log in compared to the community log in.
-
-
-
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!