Community + IE11 = Schannel Errors

After I upgraded IE to v11 some weeks ago I get lots of Schannel Errors in Windows Event log. I believe it's because this website switches between HTTPS and HTTP. As soon as I go to the Log In page it begins, and it continues after I'm logged in. Can someone who uses IE11 check the Event Viewer logs?

This is after only spending a couple of hours in the community:

Schannel.png

The detailed description doesn't say much:

The following fatal alert was generated: 40. The internal error state is 252.

Execution Process: lsass.exe

 

Since I'm drowning in these errors it's difficult to find other more critical errors.

 

The only different configuration I have is security setting set to High, and I use Trusted Sites as Medium. I have *.f-secure.com incl. Lithium and others needed.

This configuration worked perfectly with IE10.

Answers

  • NikKNikK Posts: 931

    Another try..... Can someone who uses this community with Internet Explorer 11 just quickly test this:

     

    Windows Start, search for Event Viewer. Or right-click Computer, Manage, Event Viewer.
    Then expand the Event Type "Error", and see if you have any rows with Source=Schannel. Any errors in the last 7 days?

    eventviewer.png

  • ChrissyChrissy Posts: 439
    Hi NikK, just wanted to let you know we're looking into this - will update you when we find something.
  • AniaCAniaC Posts: 247

    Hi @NikK 

    We made some improvements by changing the external references in the community source to https://

    That should help to reduce the number of errors you're getting.

     

  • NikKNikK Posts: 931

    Thanks for trying, but there's no difference (I think)

     

    Is it just me who are getting these errors with IE11? Or maybe no one else checks the Event Viewer/Windows Logs?!

    I am now convinced it's because the community uses HTTPS during Log In/Out, and only HTTP for browsing and posting.

    It's very easy to reproduce: go to the community and log in. That's it. If you log out you get more errors.

  • SimonSimon Posts: 2,561

    I don't use IE usually, Nik, so there will be no 'historical' error logs but if you want me to test something, just give me a quick run through of what you want me to try to replicate, and I'll do it for you.

  • NikKNikK Posts: 931

    Thanks Simon! It only applies to IE11. There was no problem in IE10.

     

    Start IE, go to this community and log in. Then log out.

     

    Then Windows Start, search for "Event Viewer".

    Or right-click Computer, Manage, Event Viewer. (don't know if Windows 8 is different)

     

    In Event Viewer, expand the Event Type "Error", and see if you have any rows with Source=Schannel and Event ID=36888.

    See screenshot from my second post in this thread.

  • SimonSimon Posts: 2,561

    Yep, loads of them...

     

    Untitled2.png

  • NikKNikK Posts: 931

    Thanks Simon! Then as I assumed probably all who uses IE11 gets these errors. They just don't know about it.

     

    I see you get more details than me about the error:

    A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 252.

     

    BTW, don't think I mentioned it before but Schannel means Secure Channel. And TLS is Transport Layer Security.

  • SimonSimon Posts: 2,561
    To be honest, Nik, the event viewer in Windows 8.1 seems a lot more detailed than in previous versions, and I haven't really had a chance to look too much into it yet. But hopefully the additional information may give F-Secure some extra clues as to what might be going on.
  • AniaCAniaC Posts: 247

    Thanks @NikK and @Simon we'll investigate this further.

  • NikKNikK Posts: 931

    Some research indicates this is because TLS 1.2 is enabled by default in IE11:

    http://blogs.msdn.com/b/ie/archive/2013/11/12/ie11-automatically-makes-over-40-of-the-web-more-secure-while-making-sure-sites-continue-to-work.aspx

     

    I've verified that these errors only appear when the advanced IE setting "Use TLS 1.2" is checked. However, that's checked by default in IE11 as it improves connection security, so I guess there's a problem with the log in functionality for this community fully supporting TLS 1.2

     

    The error (as mentioned before) is:

    A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 252.

     

    PS. To reproduce you don't even have to log in. Just click the log in link. That causes the protocol to switch from HTTP to HTTPS and trigger these errors.

  • TwixerTwixer Posts: 6

    I tried the log in link in IE11 and as NikK said, it triggered the Schannel errors. Also tried without TLS 1.2 and got no errors.

    20140303.png

  • NikKNikK Posts: 931

    Great, thanks for verifying! (and nice to see a familiar language other than English ;-) 

     

    So @AniaC and @Chrissy , it seems that the problem can be pinpointed down to a checkbox in the IE settings. Hopefully that'll be useful information for the people investigating this.

  • NikKNikK Posts: 931

    @AniaC @Chrissy 

    Update:  I tried logging in to SAS (Sample Analysis System) as a comparison and I don't get any Schannel Errors there. The interesting thing with that is that SAS is also a log in to an F-Secure service. So a tip is to look at what is different with the SAS log in compared to the community log in.

  • AniaCAniaC Posts: 247

    Thanks NikK,

    I'll forward this information to our developer!

    Ania

  • NikKNikK Posts: 931

    One of the latest Windows Updates reminded me of this issue. I still get lots of Schannel errors from logging in on this site, so I guess nothing's changed.

     

    As mentioned before logging in to SAS doesn't create these errors.

  • AniaCAniaC Posts: 247

    Hi NikK, sorry for a late reply.

    We've informed our supplier and are working on it again.

    Thanks for heads up!

  • NikKNikK Posts: 931

    Some useful information hopefully:

    Logging in to the web interface of Younited and uploading only one file results in even more errors.

    Nothing fills my event logs with more errors than this community and Younited. Something must be wrong on the server side.

     

    But no errors with SAS!

This discussion has been closed.