Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, November 28, 2018 12:03 PM
This question was originally asked but not answered in the Server 2016 forum. The suggestion was to ask it in a more appropriate forum. Full thread is here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/fd626e47-9ee7-41c5-b11a-ae696e3b6b5b/a-fatal-error-occurred-while-creating-a-tls-client-credential-the-internal-error-state-is-10013?forum=ws2016
The original question by NeilDT was "Recently deployed a Windows 2016 Standard Server, with Active Directory and Exchange 2016. We have disabled SSL 1.0, 2.0 and 3.0 for both Server and Client, and have disabled TLS 1.0 and TLS 1.1.We are repeatedly getting the following entry in our system log. What is causing this, and how can I fix it."
The error is "A fatal error occurred while creating a TLS client credential. The internal error state is 10013".
I too have the same issue.
It is not just a cosmetic issue that can be ignored. The error is generated 10-20 time a second and floods the system event log meaning that useful entries are being quickly lost.
It was suggested we tried the fixes here https://social.technet.microsoft.com/Forums/en-US/aaced205-b0ec-4874-b440-8075dd74d8df/a-fatal-error-occurred-while-creating-an-ssl-client-credential-the-internal-error-state-is-10013?forum=exchangesvradmin
For both of us, enabling FIPS fixes the issue but the mail delivery stops which is a disadvantage on an Exchange server!
Changing the Read permission to "MachineKeys" folder broke our IIS and we had to restore the server from a backup (A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.)
Does anybody know how to stop this error on a server that only has TLS1.2 enabled?
All replies (4)
Thursday, November 29, 2018 8:57 AM âś…Answered | 2 votes
Hi,
To enable TLS 1.2 on Exchange server, first we need to ensure that your Exchange server is ready for this:
Exchange Server 2016
Install Cumulative Update (CU) 8 in production for TLS 1.2 support and be ready to upgrade to CU9 after its release if you need to disable TLS 1.0 and TLS 1.1.
Install the newest version of .NET and associated patches supported by your CU (currently 4.7.1).
Windows Server 2016
TLS 1.2 is the default security protocol for Schannel and consumable by WinHTTP.
Ensure you have installed the most recent Monthly Quality Update along with any other offered Windows updates.
Then make sure you have enabled TLS 1.2 for Schannel and for .NET, disable TLS 1.0 and 1.1 in Schannel, follow the steps described in the articles below:
Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It
Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1
Hope it helps.
Regards,
Manu Meng
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].
Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.
Monday, December 3, 2018 9:16 AM
Just checking in to see if above information was helpful. Please let us know if you would like further assistance.
Regards,
Manu Meng
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].
Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.
Wednesday, December 5, 2018 12:07 AM | 1 vote
Sorry for the delay replying but other work has taken priority.
Thanks for your reply, we are currently running CU11 (which now supports .NET 4.72 as well as 4.71)
I've seen the articles you referenced before, shame I didn't read them properly! What I has missed was 'Enable TLS 1.2 for .NET 4.x' in the Part 2 article. What's a bit odd is that although this article is about Enabling TLS 1.2, TLS 1.2 has been working fine for over a month (apart from the Schannel errors).
It's only been half an hour but since making the registry changes and restarting we haven't had a single Schannel error and as we were getting 10-20 per second it looks as though it is fixed.
Wednesday, December 5, 2018 3:34 PM
This worked for me. We had to Enable TLS 1.2 for .NET 4.x. We were also already running CU11 (as installed when we installed Exchange).
We are running Exchange 2016 with TLS 1.1 and 1.2 enabled.