An Active Directory ACL permissions report is excellent to look at when you need to…
A fatal error occurred while creating a TLS client credential
The monitoring software triggers you with the error Event ID 36871: A fatal error occurred while creating a TLS client credential. The internal error state is 10013. In this article, you will learn why this is happening, and the solution for a fatal error occurred while creating a TLS client credential.
Table of contents
A fatal error occurred while creating a TLS client credential
Sign in to the Windows Server and start Event Viewer. Navigate to Windows Logs > System. You will see error Event ID 36871. A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
Why do we get this error, and what is the solution for a fatal error occurred while creating a TLS client credential. The internal error state is 10013?
Check Transport Layer Security protocols
Schannel is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols.
Download IIS Crypto GUI by Nartac Software. After the application is downloaded, start the application.
We see that Server Protocols and Client Protocols TLS 1.0 and TLS 1.1 are unchecked.
If we click on Best Practices, it will enable Server Protocols and Client Protocols TLS 1.0 and TLS 1.1. After a reboot, the event error will not show up. When doing that, we fix the problem, but we enable the deprecated protocols. That’s what we do not want.
So how do we keep TLS 1.0 and TLS 1.1 unchecked (disabled) without a fatal error TLS client credential 10013 from showing up?
Transport Layer Security protocols status
See a list of the security protocols and when they are published, including the current status.
Note: Only TLS 1.3 and TLS 1.2 are approved. The protocol TLS 1.3 is only available to enable in Windows Server 2022 or newer.
Protocol | Published | Status |
---|---|---|
SSL 2.0 | 1995 | Deprecated in 2011 |
SSL 3.0 | 1996 | Deprecated in 2015 |
TLS 1.0 | 1999 | Deprecated in 2020 |
TLS 1.1 | 2006 | Deprecated in 2020 |
TLS 1.2 | 2008 | Approved |
TLS 1.3 | 2018 | Approved |
Solution for a fatal error occurred while creating a TLS client credential
Now that we gathered all the information, we are going to enable TLS 1.2 on the system by running the script. After a reboot, we will check the Event Viewer. It should not show any errors.
Run PowerShell as administrator. Download Enable-TLS1.2.ps1 PowerShell script and run it from PowerShell. Another way is to copy the below PowerShell script.
If (-Not (Test-Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319')) {
New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null
If (-Not (Test-Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319')) {
New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null
If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server')) {
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null
If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client')) {
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.2 has been enabled. You must restart the Windows Server for the changes to take effect.' -ForegroundColor Cyan
Paste the script in PowerShell ISE and run the script.
Reboot the Windows Server.
Start Event Viewer. Expand Windows Logs and click System. The error “Event ID 36871: A fatal error occurred while creating a TLS client credential. The internal error state is 10013.” doesn’t show up anymore.
Did it work for you?
Conclusion
You learned why you get a fatal error occurred while creating a TLS client credential. The internal error state is 10013. The solution to this problem is configuring TLS 1.2 on the Windows Server. After that, you don’t see the Event ID 36871 errors in Event Viewer.
Did you enjoy this article? You may also like How to Enable TLS 1.2 on Windows Server. Don’t forget to follow us and share this article.
Hi Ali,
After making the changes on one out of four domain controllers I’ve started getting event log 36871 on the TLS 1.2 only enabled DC
I’ve double checked the registry settings and they are identical to the above script
When you made the changes in your environment did you do it in a specific order
1) domain controllers
2) exchange servers,
3) domain members
Thanks for your help!
What if i run this command on my network-connected machine?
Can you reference your other article (now more applicable) https://www.alitajran.com/exchange-server-tls/ I had this event viewer error and had already ran through the scripts from that article. Maybe this event error has re-appeared since Microsoft released more updates and CU’s – anyway I’m going to ignore the event error as the Health Checker script reports everything is in order. Thanks for your site and articles very helpful more so than Microsoft.
Your script worked well after then making change to the advanced internet settings in inetcpl.cpl to use only TLS 1.2. The error messages disappeared from my event log! Hooray!
Thank you man!
After a few days, your script solve the problem we had to execute a program.
Best wishes to you man!
Tested this on a client enterprise production environment and it doesn’t work
How about Pc workstations in a domain? I am trying to disable weak ciphers and strengthen security across the lan. I have seemed to have broken something if this TLS warning comes up on a Pc.
Дуже вам вдячний. Помилка зникла.
It worked for me (Windows 10 Pro 64 21H2)! Thanks!
1. Internet Option – Advanced – Disable TLS 1.2 – Reboot PC
2. Internet Option – Advanced – Enable TLS 1.2 – Reboot PC
disabling TLS, rebooting + enabling TLS, rebooting doesn’t work on Windows 11.
Also scripts around here and other internet sites to tweak registry don’t work.
Permissions are set as expected but no workarounds seem to fix this certificate issue, nor Windows updates.
I ma getting the errors on a Windows 10 laptop. ran ur script, still getting errors.
I have the exact same do to running the IIS Crypt disabling all but TLS 1.2, have all the registry entries in the correct places based on your post, running Server 2016, along with Exchange 2016 CU22 and I am still receiving the event error. I verified everything is correct… but still occurring. Thoughts?
Good write up, very helpful
Great stuff again! Thanks Ali!
Greetz,
Cor, CT Taxes
Thanks, Cor. Glad that you enjoyed it.