When domain controllers start flooding event logs with Schannel error 36887 ("The following fatal alert was received: 46"), it's typically caused by LDAP clients attempting TLS-secured connections without proper CA certificate chain validation. The error indicates the client failed to properly authenticate the server's certificate.

The most reliable method is capturing network traffic during the error events:

# Windows built-in netsh (requires admin)
netsh trace start capture=yes scenario=NetConnection tracefile=C:\temp\schannel.etl maxsize=500
# ... wait for error to occur ...
netsh trace stop

# Alternative: PowerShell packet capture
Start-Process -FilePath "C:\Program Files\Wireshark\tshark.exe" 
    -ArgumentList "-i 4 -w C:\temp\ldap_traffic.pcap -f "port 389 or port 636"" 
    -Verb RunAs

Microsoft provides several built-in tools for LDAP diagnostics:

# Enable Schannel logging (registry)
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" 
    -Name "EventLogging" -Value 1 -PropertyType DWORD -Force

# LDAP client statistics
repadmin /showstatistics *

Configure firewall logging for LDAP ports (389/636) and correlate with Schannel error timestamps:

# PowerShell to query Windows firewall logs
Get-Content -Path "$env:windir\system32\logfiles\firewall\pfirewall.log" | 
    Where-Object { $_ -match "(636|389)" } |
    Select-Object -Last 50

Here's a script to correlate Event ID 36887 with network connections:

# PowerShell correlation script
$events = Get-WinEvent -FilterHashtable @{
    LogName='System'
    ID=36887
    StartTime=(Get-Date).AddHours(-1)
} | Where-Object {$_.Message -match '46'}

$events | ForEach-Object {
    $time = $_.TimeCreated
    $conn = Get-NetTCPConnection -State Established -RemotePort 636 
        -AppliedSetting Internet | Where-Object {
            $_.CreationTime -ge $time.AddSeconds(-5) -and 
            $_.CreationTime -le $time.AddSeconds(5)
        }
    [PSCustomObject]@{
        ErrorTime = $time
        SourceIP = $conn.RemoteAddress
        ProcessID = $conn.OwningProcess
        ProcessName = (Get-Process -Id $conn.OwningProcess).Name
    }
}

Once identified, ensure clients have proper root certificates:

# Command to verify certificate chain (run on client)
certutil -verify -urlfetch LDAP://yourdomaincontroller.domain.com

When domain controllers log Schannel error 36887 with fatal alert code 46, it typically indicates an LDAP client attempting to establish a secure connection without proper certificate chain validation. The error manifests as:

Log Name:      System
Source:        Schannel
Event ID:      36887
Level:         Critical
Description:   The following fatal alert was received: 46.

To pinpoint the problematic client, consider these technical approaches:

1. NetLog Debugging

Enable Schannel logging on your domain controller:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL /v EventLogging /t REG_DWORD /d 0x7 /f

This will capture detailed TLS handshake information including client IP addresses.

2. Network Traffic Analysis

Use Wireshark with this display filter to identify clients with incomplete certificate chains:

tls.handshake.alert_message == 46 && ldap

3. PowerShell Audit Script

Create a real-time monitoring script:

# PowerShell script to monitor Schannel errors
$query = @"

  
    
      *[System[Provider[@Name='Schannel'] and (EventID=36887)]]
    
  

"@

Get-WinEvent -FilterXml $query -MaxEvents 10 | ForEach-Object {
    $event = [xml]$_.ToXml()
    $time = $_.TimeCreated
    $clientIP = $event.Event.EventData.Data | Where-Object { $_.Name -eq "ClientIP" } | Select-Object -ExpandProperty "#text"
    
    if ($clientIP) {
        $clientInfo = [System.Net.Dns]::GetHostEntry($clientIP)
        Write-Host "[$time] Alert 46 from $($clientIP) ($($clientInfo.HostName))"
    }
}

Common misconfigurations causing this error include:

• Missing root CA certificates in the client's Trusted Root store
• Outdated Schannel protocols (e.g., TLS 1.0 enabled when DC requires 1.2)
• LDAP channel binding requirements not met

For each identified client, verify these registry settings:

# Check client certificate stores
certmgr.msc

# Verify Schannel protocol settings
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

For environments with multiple clients, consider this group policy approach:

1. Create a WMI filter to target only affected clients
2. Deploy root CA certificates via Group Policy Preferences
3. Set appropriate TLS protocols via Administrative Templates