Issue Statement: Intermittently getting Schannel Error Event 36888: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960. Cause: Cipher suite being used was TLS_DHE_RSA_WITH_AES_256_GCM_SHA384. There are some known issues […]

Read More →

Problem Description: Getting an internal server error 500 while trying to access NDES sites – MSCEP and MSCEP_Admin.   Cause: Private keys were not available.   Resolution: Problem started after renewing the certificates on NDES Server enrolled using “Exchange Enrollment Agent (Offline request)” and “CEP Encryption” templates. Tried to verify permissions on private keys (Open Certlm.msc […]

Read More →

Issue Statement: You have disabled a specific version of TLS/SSL using following registry as mentioned in https://support.microsoft.com/en-in/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\<SSL/TLS version to disable>\Server When you run vulnerability scan in your environment, you still get disabled SSL/TLS version listed as enabled in the vulnerability report over a specific port (e.g. 4883) Action Plan: Capture following data: 1) Netstat […]

Read More →

Problem Statement: How to change the signature algorithm on CA (Certification Authority) Server from RSASSA-PSS to RSA256SHA? Cause: You have legacy clients e.g. Windows XP, Window Server 2003 cannot validate the RSASSA-PSS signature and this behavior cannot be changed by installing any Service Packs as well. RSASSA-PSS signatures are supported on Vista and later operating systems only. […]

Read More →