Ruling out SCOM notifications as the cause of SCHANNEL events
Still getting SCHANNEL error events and want to rule out SCOM
Management pack SQL events https://kevinjustin.com/blog/2017/11/08/sql-native-client-for-tls1-2/
SCHANNEL ciphers debugged https://kevinjustin.com/blog/2017/11/08/schannel-event-logging/
What command Channels are setup for notifications?
Validate Subscriptions aren’t the cause for email/text
Exchange 2013 and above typically use S/MIME to digitally sign/encrypt messages
Email communication can cause System 36871 events https://support.microsoft.com/en-us/help/305088/schannel-error-message-36871-when-receiving-an-ehlo-smtp-command
Do the events correlate with emailed alerts?
Tracing Notifications http://blog.scomskills.com/enable-tracing-of-the-notification-component-om07/
SCOM ETL traces
Run traces on suspect MS
2012R2 MS (adjust drive letter according to drive SCOM install)
cd “D:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server\Tools”
2012R2 GW (adjust drive letter according to drive SCOM install)
cd “C:\Program Files\System Center Operations Manager\Gateway\Tools”
2016 MS
cd ‘C:\Program Files\Microsoft System Center 2016\Operations Manager\Server\Tools\’
# Stop Tracing
.\StopTracing.cmd
# Clean up old files
remove-item C:\windows\Logs\OpsMgrTrace\*
# Start Traces
StartTracing.cmd VER
TraceLogSM.exe -stop TracingGuidsNative
TraceLogSM.exe -stop TracingGuidsUI
# Wait until notification fires and validate if 36871 SCHANNEL event ID is logged
# Stop and format the trace
.\StopTracing.cmd
.\FormatTracing.cmd
# Review txt files from C:\windows\Logs\OpsMgrTrace
