Exchange 2013, CU5.

Hi,

I have frequent logs showing 36875, reporting "The remote server has requested SSL client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This SSL connection request may succeed or fail, depending on the server's policy settings."

I would like to work out which server is making these requests, and also which certificate is being offered but deemed 'not suitable'. 

I have increased the logging level to "7" for HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\"EventLogging" but this only provides informational events to say for TLS1.0 and TLS1.2 that "SSL server handshake completed successfully".

I am running an all-in-one Exchange server. I have two receive connectors (one for inbound mail from Mimecast and the other for relaying emails from internal applications) both of which have the FQDN which matches my public certificate. I still have the self-signed cert on the server. Mimecast attempts to deliver mail using opportunistic TLS, which is working - the headers I receive from a gmail address show TLS being used at all hops.

Any help gratefully appreciated.

Unless you are seeing problems, I generally ignore those.

https://technet.microsoft.com/en-us/library/dn786445.aspx?f=255&MSPPError=-2147217396

Message	Type: Warning The remote server has requested SSL client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This SSL connection request might succeed or fail, depending on the servers policy settings.
User action	This warning message requires no action.

Hi ,

Thank you for your question.

In addition, in response to the client hello message, the server requested SSL client authentication. Because the client did not possess a suitable certificate, the connection process will proceed by attempting an anonymous connection. In this scenario, which has security vulnerabilities, both client and server do not get authenticated and no credentials are needed to establish an SSL connection.

If there are any questions regarding this issue, please be free to let me know. 

Best Regard,

Jim

Thanks. 

But as we only accept incoming email from our smarthost (Mimecast) then I'm confused as to why these are continuing.

Hence my question to how to identify the server that is requesting the certificate.

As mentioned, we also relay mail from various internal applications but this is to a separate receive connector.

Could it be from a DC?

Thanks Jim,

I understand the process. However, I cannot find a way to troubleshoot the failure to setup the SSL connection. I would like to trace which server sent the request AND which certificate was offered but deemed not suitable.

Any tips and help would be appreciative.

Thanks.

Thanks. 

But as we only accept incoming email from our smarthost (Mimecast) then I'm confused as to why these are continuing.

Hence my question to how to identify the server that is requesting the certificate.

As mentioned, we also relay mail from various internal applications but this is to a separate receive connector.

Could it be from a DC?

I wouldnt assume this is a mail server. As for troubleshooting, it may take a netmon/wireshark trace to see which clients are connecting when the error is thrown

Thanks. 

But as we only accept incoming email from our smarthost (Mimecast) then I'm confused as to why these are continuing.

Hence my question to how to identify the server that is requesting the certificate.

As mentioned, we also relay mail from various internal applications but this is to a separate receive connector.

Could it be from a DC?

If something recently changed (SSL cert or server) it might be good to call Mimecast.  We had a client a few months back that was getting Schannel errors and MSFT support traced it back to them.  Unforunately Mimecast didnt tell us what they did on their end to fix it, or what the issue really was, but it won't hurt to give them a call.