A Fatal Error Occurred While Creating a TLS Client Credential. The Internal Error State is 10013 Error Fix

A Fatal Error Occurred While Creating a TLS Client Credential. The Internal Error State is 10013

I’ve created restrictions on our client devices so that they are only allowed to use TLS 1.2. Now in the event viewer i see tons of error messages:

“A fatal error occurred while creating a TLS client credential. The internal error state is 10013.”

How to Fix it 

Enabling FIPS fixes the issue but the mail delivery stops which is a disadvantage on an Exchange server!

Changing the Read permission to “MachineKeys” folder broke our IIS and we had to restore the server from a backup (A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.)

creating-a-tls-client

By default, an OS that supports TLS 1.2 (for example, Windows 10) also supports legacy versions of the TLS protocol. When a connection is made by using TLS 1.2 and it doesn’t get a timely response, or when the connection is reset, the OS might try to connect to the target web service by using an older TLS protocol (such as TLS 1.0 or 1.1). This usually occurs if the network is busy, or if a packet drops in the network. After the temporary fallback to the legacy TLS, the OS will try again to make a TLS 1.2 connection.

What will be the status of such fallback traffic after Microsoft stops supporting the legacy TLS? The OS might still try to make a TLS connection by using the legacy TLS protocol. But if the Microsoft service is no longer supporting the older TLS protocol, the legacy TLS-based connection won’t succeed. This will force the OS to try the connection again by using TLS 1.2 instead.

If you are having connectivity issues with a specific resource or internet site, for example, then you should review your TLS/SSL settings. These settings can be accessed by running inetcpl.cpl and going to Advanced > Scroll down to Security and note the TLS settings.

Also Read : https //slr.napr.gov.ge Login

Assumption

For Part 2 of our TLS guidance series we assume you have already audited your on-premises Exchange Servers and applied all updates called out in Part 1: Getting Ready for TLS 1.2. Please perform the activities called out in part 1 if you have not prior to moving forward with any configurations outlined in part 2.

Enabling TLS 1.2

The method used to enable TLS 1.2 varies by the version of the Windows Server operating system. Some versions of Windows Server have TLS 1.2 enabled by default while others do not. Our steps will, regardless of the OS’ default state, configure TLS 1.2 so it is enabled and available for incoming (Server) connections and outgoing (Client) connections. From part 1 you should be familiar with the various components Exchange Server relies on such as Schannel, WinHTTP and .NET. Unless stated otherwise the same registry paths are used across all supported Windows Server operating systems.

Enable TLS 1.2 for Schannel

All Windows Server versions

TLS protocols are enabled or disabled in Windows Schannel by editing the Windows Registry. Each protocol version can be enabled or disabled independently. You don’t need to enable or disable one protocol version to enable or disable another protocol version.

he Enabled DWORD registry value defines whether the protocol version can be used. If the value is set to 0, the protocol version cannot be used, even if it is enabled by default or if the application explicitly requests that protocol version. If the value is set to 1, the protocol version can be used if enabled by default or if the application explicitly requests that protocol version. If the value is not defined, the operating system’s default value will be used. We recommend configuring the value to have a consistent state across your servers.

The DisabledByDefault DWORD registry value defines whether the protocol version is used by default. This setting only applies when the application doesn’t explicitly request the protocol versions to be used. If the value is set to 0, the protocol version will be available for use by default. If the value is set to 1, the protocol version will not be available for use by default. If the value is not defined, the operating system’s default value will be used.

Also Read : Activate Games now in Vestavia

We recommend configuring the value to have a consistent state across your servers. For example; consider what would happen if TLS 1.2’s values were set to a combination of Enabled and DisabledByDefault both set to a value of 1. In this example an application could only use TLS 1.2 if the application specifically called for TLS 1.2. If the application did not specifically call for TLS 1.2, then it would not be able to use TLS 1.2 as even though the protocol is enabled, it is not in the default list of available protocols. To enable TLS 1.2 for both server (inbound) and client (outbound) connections on an Exchange Server please perform the following.

  1. From Notepad.exe, create a text file named TLS12-Enable.reg.
  2. Copy and paste the following text into the file.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001

  1. Save TLS12-Enable.reg.
  2. Double-click the TLS12-Enable.reg file.
  3. Click Yes to update your Windows Registry with these changes.
  4. Restart the machine for the changes to take effect.

Enable TLS 1.2 for .NET 4.x

This step is only required for Exchange Server 2013 or later installations where .NET 4.x is relied upon. The SystemDefaultTlsVersions registry value defines which security protocol version defaults will be used by .NET Framework 4.x. If the value is set to 1, then .NET Framework 4.x will inherit its defaults from the Windows Schannel DisabledByDefault registry values. If the value is undefined, it will behave as if the value is set to 0. By configuring .NET Framework 4.x to inherit its values from Schannel we gain the ability to use the latest versions of TLS supported by the OS, including TLS 1.2.

  1. From Notepad.exe, create a text file named NET4X-UseSchannelDefaults.reg.
  2. Copy, and then paste the following text.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001

  1. Save the NET4X-UseSchannelDefaults.reg file.
  2. Double-click the NET4X-UseSchannelDefaults.reg file.
  3. Click Yes to update your Windows Registry with these changes.
  4. Restart your computer for the change to take effect.

Be the first to comment

Leave a Reply