Event 36870 Schannel 10001 – A fatal error occurred

When we spend two weeks trying to resolve an issue that affects multiple servers it is worth documenting its solution. But not only to jot down a 2 liner, but to clearly lay out a detailed process. This saves our successors time and headaches down the road. Here we discuss Event 36870 Schannel 10001 – A fatal error occurred and how to resolve it. So without further ado, let’s begin…

 

The Problem

“A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from cryptographic module is 0x8009030D. The internal error state is 10001.”

Event 36870 Schannel 10001 - A fatal error occurred

This error message has been filling up the logs for months, occurring anywhere between 25-minute intervals on one server and 5 minutes on another.

 

The Cause

The cause of  event 36870 A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from cryptographic module is 0x8009030D. The internal error state is 10001.  in our case has to do with with a file permission issue. That is, the NETWORK SERVICE account is missing permissions on a file in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.

 

The Solution

To resolve Event 36870 Schannel 10001 – A fatal error occurred we need to grant the NETWORK SERVICE account proper permissions on the file in question. In order to find which file has the wrong permissions we use a tool named Process Monitor.

1. Download procmon at https://docs.microsoft.com/en-us/sysinternals/downloads/procmon. Copy it to the server in question, unzip and launch it.

Event 36870 Schannel 10001 - A fatal error occurred - Process Monitor

2. Let procmon actively monitor until the next error occurs in the System event log. Then pause the monitoring and save the log to CSV file. Find the offending MachienKeys file.

 

Event 36870 Schannel 10001 - A fatal error occurred - Monitor

 

3. Grant NETWORK SERVICE permissions on the file using PowerShell Administrator console.

 

icacls "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\filename" /grant *S-1-5-20:RX

Note: you may need to take ownership of the file if you are unable to change its permissions.

takeown /F "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\filename"

 

Leave a Comment

Your email address will not be published. Required fields are marked *