skip to Main Content

A fatal error occurred while creating a TLS client credential

The monitoring software triggers you with the error Event ID 36871: A fatal error occurred while creating a TLS client credential. The internal error state is 10013. In this article, you will learn why this is happening, and the solution for a fatal error occurred while creating a TLS client credential.

A fatal error occurred while creating a TLS client credential

Sign in to the Windows Server and start Event Viewer. Navigate to Windows Logs > System. You will see error Event ID 36871. A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

A fatal error occurred while creating a TLS client credential error

Why do we get this error, and what is the solution for a fatal error occurred while creating a TLS client credential. The internal error state is 10013?

Check Transport Layer Security protocols

Schannel is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols.

Download IIS Crypto GUI by Nartac Software. After the application is downloaded, start the application.

We see that Server Protocols and Client Protocols TLS 1.0 and TLS 1.1 are unchecked.

A fatal error occurred while creating a TLS client credential IIS Crypto

If we click on Best Practices, it will enable Server Protocols and Client Protocols TLS 1.0 and TLS 1.1. After a reboot, the event error will not show up. When doing that, we fix the problem, but we enable the deprecated protocols. That’s what we do not want.

So how do we keep TLS 1.0 and TLS 1.1 unchecked (disabled) without a fatal error TLS client credential 10013 from showing up?

Transport Layer Security protocols status

See a list of the security protocols and when they are published, including the current status.

Note: Only TLS 1.3 and TLS 1.2 are approved. The protocol TLS 1.3 is only available to enable in Windows Server 2022 or newer.

ProtocolPublishedStatus
SSL 2.01995Deprecated in 2011
SSL 3.01996Deprecated in 2015
TLS 1.01999Deprecated in 2020
TLS 1.12006Deprecated in 2020
TLS 1.22008Approved
TLS 1.32018Approved

Solution for a fatal error occurred while creating a TLS client credential

Now that we gathered all the information, we are going to enable TLS 1.2 on the system by running the script. After a reboot, we will check the Event Viewer. It should not show any errors.

Run PowerShell as administrator. Download Enable-TLS1.2.ps1 PowerShell script and run it from PowerShell. Another way is to copy the below PowerShell script.

If (-Not (Test-Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319')) {
    New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319')) {
    New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server')) {
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client')) {
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null

Write-Host 'TLS 1.2 has been enabled. You must restart the Windows Server for the changes to take effect.' -ForegroundColor Cyan

Paste the script in PowerShell ISE and run the script.

A fatal error occurred while creating a TLS client credential error PowerShell ISE

Reboot the Windows Server.

Start Event Viewer. Expand Windows Logs and click System. The error “Event ID 36871: A fatal error occurred while creating a TLS client credential. The internal error state is 10013.” doesn’t show up anymore.

Did it work for you?

Conclusion

You learned why you get a fatal error occurred while creating a TLS client credential. The internal error state is 10013. The solution to this problem is configuring TLS 1.2 on the Windows Server. After that, you don’t see the Event ID 36871 errors in Event Viewer.

Did you enjoy this article? You may also like How to Enable TLS 1.2 on Windows Server. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 16 Comments

  1. Hi Ali,

    After making the changes on one out of four domain controllers I’ve started getting event log 36871 on the TLS 1.2 only enabled DC
    I’ve double checked the registry settings and they are identical to the above script
    When you made the changes in your environment did you do it in a specific order
    1) domain controllers
    2) exchange servers,
    3) domain members
    Thanks for your help!

  2. Can you reference your other article (now more applicable) https://www.alitajran.com/exchange-server-tls/ I had this event viewer error and had already ran through the scripts from that article. Maybe this event error has re-appeared since Microsoft released more updates and CU’s – anyway I’m going to ignore the event error as the Health Checker script reports everything is in order. Thanks for your site and articles very helpful more so than Microsoft.

  3. Your script worked well after then making change to the advanced internet settings in inetcpl.cpl to use only TLS 1.2. The error messages disappeared from my event log! Hooray!

  4. Thank you man!
    After a few days, your script solve the problem we had to execute a program.
    Best wishes to you man!

  5. How about Pc workstations in a domain? I am trying to disable weak ciphers and strengthen security across the lan. I have seemed to have broken something if this TLS warning comes up on a Pc.

  6. 1. Internet Option – Advanced – Disable TLS 1.2 – Reboot PC
    2. Internet Option – Advanced – Enable TLS 1.2 – Reboot PC

    1. disabling TLS, rebooting + enabling TLS, rebooting doesn’t work on Windows 11.
      Also scripts around here and other internet sites to tweak registry don’t work.
      Permissions are set as expected but no workarounds seem to fix this certificate issue, nor Windows updates.

  7. I have the exact same do to running the IIS Crypt disabling all but TLS 1.2, have all the registry entries in the correct places based on your post, running Server 2016, along with Exchange 2016 CU22 and I am still receiving the event error. I verified everything is correct… but still occurring. Thoughts?

Leave a Reply

Your email address will not be published. Required fields are marked *