A fatal error occurred while creating a TLS client credential. The internal error state is 10013

windows ssl tls1.2 windows-server-2016 exchange-server-2016

226,646

Basically we had to enable TLS 1.2 for .NET 4.x. Making this registry changed worked for me, and stopped the event log filling up with the Schannel error.

More information on the answer can be found here

Linked Info Summary

Enable TLS 1.2 at the system (SCHANNEL) level:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

(equivalent keys are probably also available for other TLS versions)

Tell .NET Framework to use the system TLS versions:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001

This may not be desirable for edge cases where .NET Framework 4.x applications need to have different protocols enabled and disabled than the OS does.

226,646

Author by

neildt

An enthusiastic IT professional, coming from a Classic ASP background. Currently programming with Visual Studio in C# .NET, Web Services (XSMX and Wcf), MS SQL Server, MySQL, and IIS 8.5. Interested in learning new technologies, design patterns and exciting career opportunities.

Updated on July 08, 2022

Comments

neildt almost 2 years

Recently deployed a Windows 2016 Standard Server, with Active Directory and Exchange 2016.

We have disabled SSL 1.0, 2.0 and 3.0 for both Server and Client, and have disabled TLS 1.0 and TLS 1.1.

We are repeatedly getting the following entry in our system log. What is causing this, and how can I fix it.
- T0beus over 5 years
  
  We also saw the exact same error after the last round of Windows updates for October, 2018. Not sure of the exact cause yet. On Windows 10, the only update I am seeing that looks like it might matter is KB4462933. The only other update installed for October patches is for Adobe Flash. I'm pretty sure that is not causing anything. I'll post an answer or update if I find anything else. Oh, and we also have FIPS turned on and disabled SSL 3.0, TLS 1.0, and TLS 1.1. Turning off FIPS and re-enabling TLS 1.0 seems to work for now as a workaround. Remember to reboot after changes though.
- neildt over 5 years
  
  I can't enable TLS 1.0 otherwise our PCI compliance scan fails.
- user1703401 over 5 years
  
  Surely you need to keep in mind that this is exactly what should happen. You prevent apps from using a secure connection of the wrong flavor. Next you need to find out exactly which ones generates this diagnostic so you can fix/uninstall them. Find people that troubleshoot this stuff every day on a site like serverfault.com
Paul Suart over 4 years

I used IIS Crypto GUI (nartac.com/Products/IISCrypto) to make these registry changes after experiencing the same error. Just click "Best practices" then "Apply". Reboot. Job done 👍🏼
StarNamer about 4 years

Neither manually adding to the registry nor using IISCrypto worked for me. Still looking for a solution as having 4 or these errors every 10 seconds means it's almost impossible to check for anything else in the event log.
Alexey almost 4 years

Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name SystemDefaultTlsVersions -Value 1 Set-ItemProperty 'HKLM:\SOFTWARE\wow6432node\Microsoft\.NETFramework\v4.0.303‌19' -Name SystemDefaultTlsVersions -Value 1
bfhd about 3 years

I too resolved this issue with IISCrypto, but I suspect making changes with that application also caused the problem in the first place.
LordDelacroix almost 3 years

This does NOT work for me. Any other ideas?
Jamie over 2 years

Same problem (windows 2016 - minus the exchange issue) Added items to registry - looks like the only time the 4673 appears is when I check the event log. Pretty strange. This fix did not work for me.
Demetrios Christopher over 2 years

I don't know why this one is getting no love. None of the registry hacks worked for me but this did with regard to eliminating the System event log entries. It still doesn't fix the issue I'm having with making connections to TLS v1.x using .NET APIs in Windows 11.