🟠 High   ⏱ 5–30 min  Last verified: 01 April 2027
Affected versions: Windows Server 2012 R2

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Windows Server 2012 R2 hosts log SChannel event 36874 ‘An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server’ after cipher hardening, breaking app connections.

Environment & Reproduction

Reproducible after disabling TLS 1.0/1.1, weak ciphers, or after registry baselines.

Get-TlsCipherSuite
Get-WinEvent -LogName System -ProviderName Schannel -MaxEvents 20

Root Cause Analysis

Hardening removed shared ciphers between client and server, leaving no negotiable suites.

Quick Triage

Inspect cipher and protocol support.

Get-TlsCipherSuite | Select Name,Cipher,Hash,Exchange
Get-ItemProperty 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server'

Step-by-Step Diagnosis

Identify the offending client and required suite.

Test-NetConnection app.corp.local -Port 443
netstat -ano | findstr :443
Get-WinEvent -LogName System -FilterXPath "*[System[(EventID=36874)]]" -MaxEvents 20
Illustrative mockup for windows-server-2012-r2 — event_or_log_viewer
SChannel 36874 event — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Re-enable the required cipher suite for the affected clients only.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

Enable-TlsCipherSuite -Name 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' -Position 0
Restart-Computer -Force
Illustrative mockup for windows-server-2012-r2 — terminal_or_powershell
TLS cipher registry view — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Use SslConfig group policy to ship a controlled cipher list across the fleet.

# gpedit.msc -> Computer Configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order
gpupdate /force

Verification & Acceptance Criteria

Clients negotiate TLS successfully and no 36874 events appear.

Get-WinEvent -LogName System -ProviderName Schannel -MaxEvents 10
Test-NetConnection app.corp.local -Port 443

Rollback Plan

Disable the temporary suite once clients migrate to modern ciphers.

Disable-TlsCipherSuite -Name 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256'

Prevention & Hardening

Document cipher baselines, monitor SChannel events, and pre-test client compatibility.

Get-TlsCipherSuite | Export-Csv C:Tempciphers.csv -NoTypeInformation

Linked with IIS bindings, AD CS template issues, and LDAP over TLS hardening.

Related tutorial: View the step-by-step tutorial for Windows Server 2012 R2.

View all Windows Server 2012 R2 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: TLS cipher suites in Windows Server.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.