When running Windows Server (2008–2016) or Microsoft Exchange (2013/2016), you may encounter the following error in the Event Viewer:
Event ID: 36874 Source: Schannel Message: TLS 1.0 connection request was received from a remote client application,
but none of the cipher suites supported by the client application are supported by the server.
The TLS connection request has failed.
This issue often impacts Outlook connectivity and third-party applications that attempt to establish a TLS-secured connection to your Exchange Server. The root cause is typically related to disabled or outdated TLS protocol versions and cipher suites.
In enterprise environments, this error not only causes client connection failures but also raises compliance and security concerns, especially in organizations required to meet PCI DSS, HIPAA, or other regulatory standards.
Root Cause of Schannel Error 36874
The error is triggered when the server and client fail to negotiate a compatible TLS protocol version or cipher suite. Common reasons include:
Cause 1: Outdated TLS Versions
TLS 1.0 or TLS 1.1 is requested by the client, but the server requires TLS 1.2 or higher.
Cause 2: Disabled TLS on the Server
The Windows Server does not have TLS 1.2 enabled in the registry.
Cause 3: Cipher Suite Mismatch
The server supports only secure cipher suites, but the client is attempting weak or unsupported ones.
Cause 4: Exchange Server Dependency
Exchange versions before 2019 heavily rely on Schannel (Windows’ SSL/TLS provider). Misconfigured registry keys can prevent TLS negotiation.
Step-by-Step Solutions
1. Enable TLS 1.2 on Windows Server
TLS 1.2 must be explicitly enabled on older Windows Server versions (2008–2012 R2). You will need to enable TLS encryption on your server. Please follow Accuweb > Enable TLS article to enable TLS 1.2 on your Windows server. Once you are done with this, you should be able to connect the connection with HTTPS and TLS encryption.
2. Ensure .NET Framework Supports TLS 1.2
If Exchange or custom apps rely on .NET, enforce TLS 1.2 by setting the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
SchUseStrongCrypto = 1 (DWORD)
Repeat this step for both HKLM\SOFTWARE and HKLM\SOFTWARE\WOW6432Node to ensure 32-bit compatibility.
3. Update Cipher Suites
If your server only supports weak ciphers (e.g., RC4, 3DES), modern clients will fail to connect. Use IIS Crypto or Group Policy to configure secure cipher suites.
Conclusion:
TLS negotiation failures between the client and server cause Schannel Error 36874. In modern environments, the issue often stems from disabled TLS 1.2 or mismatched cipher suites. By enabling TLS 1.2, updating cipher suites, and ensuring .NET applications use strong cryptography, you can restore Outlook and application connectivity while meeting enterprise security compliance standards.
