This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 51%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
Exchange Experts,
I can't eliminate an 'account failed to log on' audit caused by exchange's TLS auth mechanism. Everytime I get an email delivered to the server via our receive connector, the server tries to match the sender's cert using NTLM (I think).
I can't fix it regardless of the security options I select on the receive connector. It looks like exchange's TLS is trying to map the sending server's certificate to a machine or system account, which won't work. It must be a built in mechanism of Windows TLS?
Can anyone help get this to stop trying to match it to system accounts or point me in the right direction?
EDIT: Environment: Server 2019, Exchange 2019 CU8
System Log / Source schannel / Event ID 36879
So, Im confused. :)
Why does the inbound Office 365 connector have all that checked?
All you need is TLS and anonymous enabled for 365 Hybrid.
The TLS enforcement is handled by the receive connector :
TlsDomainCapabilities : {mail.protection.outlook.com:AcceptCloudServicesMail}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 98%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
Any luck figuring this out? I'm battling the same issues with these security event logs causing issues with our alerting/monitoring.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 68%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
The solution was a a compromise:
We eliminated my custom connector and reverted back to the default connector. It completely eliminated the error message. It's incredibly frustrating that I couldn't figure out how to separate out the O365 traffic, but since we firewall SMTP and don't allow any external or partner direct SMTP connections except Office 365 (which is filtered), it works for my use case.
A lot of people didn't understand the real issue, which wasn't that exchange worked fine and we could ignore the message or disable schannel events (which this is not, so the error message remains). The real issue in my case was ignoring the message means ignoring logs that the IPS system is going to lose its mind about since Windows thinks it's an invalid login. In the current world, who is going to get away with configuring systems not to report hundreds/thousands of logs of invalid log in attempts? Can you imagine explaining that after the breach/data loss? You wouldn't, you'd be too busy looking for a new job ;)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 73%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
I'm facing this exact issue. Would you mind sharing the specific settings of the connector that resolved the login failure audits? I'm not using a custom connector. The issue seems to be with my Default Frontend connector. The mail flow works fine but I need to eliminate the auth failures.
Hi @Cory C ,
Sorry that I don't quite understand the issue, and you said this caused the accounts logon failure, logging on to OWA/ECP or clients?
And the mail flow is good?
If you don't mind, restore the Connectors to the default status and check. And I'm thinking the Exchange Server is necessary member of the group list.
Regards,
Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Mail flow is fine, partially. Mail flows in and out of the environment.
The issue is specific to SMTP delivery using TLS.
When our upstream sending server (office 365) connects to the on prem exchange server, we require TLS. When SMTP does the TLS process and the certificates are exchanged, it works and allows encrypted mail transfer, but Windows Server 2019 seems to try and use the sending server's certificate attempting to match a local or domain user account. That's what causes the login failure audit.
We don't want exchange to attempt to match another SMTP server's certificate to an account, we just want the SMTP session encrypted. I didn't notice this behavior on Server 2012 R2 with Exchange 2013. Not saying it wasn't doing it, but we never got the monitoring system blowing up about failed logins, so I am guessing not.
P.S. When you do TLS, you need to match the public certificate name like mail.FQDN.com, which will not work when you select 'Exchange Server Authentication'. I reset the receive connector back to mostly original. We have tried all different options trying to prevent the user account cert match (event ID 36879)
Dude! I know, right! (In agreement with you Andy). I shouldn't have to have any of that other stuff checked, but even Microsoft scripted tech support wants all that crap on there. I doesn't make any sense to me either.
More importantly, I have also tried exactly that configuration, but it still gives the same errors. Very frustrating.
This is a quote from the Microsoft site about the error (event 36879):
When a server application requires client authentication, Schannel automatically attempts to map the certificate supplied by the client to a user account.
I think Windows Server / Exchange is passing the sending server's cert to LSASS trying to match an account. I can't prove that, but it's what the blurb says, and it makes sense with the error messages. I just can't find anything about it, or turn it off. I can't imagine there is something that unique about my installation of Server 2019 / Exchange CU8. That has to happen to other people right?
Hi @Cory C ,
Oh that was my fault, so sorry for the misunderstanding, I was think it's a full on-prem environment and didn't realize that is for the hybrid.
And well, I want to know if this warning event has any exact effects for your server, is it causing the "logon error"? or only the audit logs because I found a similar warning that could be ignored, that is a stupid question but it helps me understand what the point is.
Also if you want to disable the Certificate Mapping Authentication, you could Client Certificate Mapping Authentication and CertificateMappingMethods
Hope that could help.
Regards,
Lou
That was a very clever suggestion which I didn't think about. Sadly, it didn't change anything. I think the Transport service or Front End Transport Service is doing the certificate mapping attempt, not the web/iss/W3SVC. I can't figure out how to prove this though. The login failure event process ID maps back so lsass.exe (which makes sense), I just can't see what process ID tries to initiate the client certificate map.
SMTP is listening on 25 which maps back to the front end transport service/exe.
Hi @Cory C ,
Have you ever checked the certificate? Since the O365 could work correctly, I would think this is because of the certificate you're using on your on-prem Exchange server.
Also I'm still trying to find anything useful, but I'd like to ask that is there any actual error like logon OWA failed or just the failure event logs?
Regards,
Lou
You are going to hate this suggestion.
Add this registry key and silence the events :)
Set-itemproperty HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel -Name EventLogging -Value 0
I mean, otherwise, its working right?
HA! 'I like where your head's at', or 'great minds', etc...
I had that same thought on day two. The SCHANNEL event log is not really the problem. The main problem is along with the SCHANNEL event log is the login failure event, which is the actual problem.
The login failure log blows up all the monitoring systems with false positives since there's one for every time an SMTP server initiates TLS, so the more mail delivery, the more login failures. You can imagine how it looks for an IDS/Monitor...
Bottom line, turning off schannel logs didn't solve the overall problem. Thanks for the continued suggestions.