A fatal error occurred while creating a TLS client credential.

Mathias Ottsen 116 Reputation points
2022-02-09T14:35:23.477+00:00

Hey guys,

I've created restrictions on our client devices so that they are only allowed to use TLS 1.2

Now in the event viewer i see tons of error messages:

"A fatal error occurred while creating a TLS client credential. The internal error state is 10013."

From a couple of google search (primarily https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls#systemdefaulttlsversions) i've tried the following:

Creating the TLS 1.2 key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
Create subkeys for Client and Server with: DisabledByDefault 0 & Enabled 1

Created dword entries for .net 32 and 64 bit: 'HKLM:\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319' / 'HKLM:\SOFTWARE\Microsoft.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' and SchUseStrongCrypto '1' - Steps repeated for each .net framework key v1.0, v2.0.50727 and forth.

As an example

172662-image.png

172567-image.png

Our devices are running Windows 10 Enterprise edition. I've tried to test the changes on my device which is running 20H2.

Anyone with an idea of how i can proceed with the troubleshooting?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,963 questions
{count} votes

14 answers

Sort by: Most helpful
  1. Nick M. Kulkarni 26 Reputation points
    2023-10-05T13:40:07.9066667+00:00

    There is an issue with the Microsoft documentation on enabling TLS and other security protocols.
    Older documentation shows setting via registry key needs a DWORD enabled = 1

    later documentation shows the DWORD enabled = ffffffff

    I have tested it recently and enabled =1 did not work it had to be ffffffff.

    Nartac's IIS Crypto GUI app also sets ffffffff . Try using that app https://www.nartac.com/Products/IISCrypto/Download

    to set your servers and clients to Best Practices and rebooting. See if that helps.

    However, I am finding some articles online that show the errors can also be logged when a slow network response causes the client to fall back to a deprecated version of TLS before 1.2 despite TLS 1.2 being correctly enabled.

    https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/enable-support-tls-environment?tabs=azure-monitor#enable-tls-12-on-client-or-server-operating-systems-

    Note

    By default, an OS that supports TLS 1.2 (for example, Windows 10) also supports legacy versions of the TLS protocol. When a connection is made by using TLS 1.2 and it doesn't get a timely response, or when the connection is reset, the OS might try to connect to the target web service by using an older TLS protocol (such as TLS 1.0 or 1.1). This usually occurs if the network is busy, or if a packet drops in the network. After the temporary fallback to the legacy TLS, the OS will try again to make a TLS 1.2 connection.

    What will be the status of such fallback traffic after Microsoft stops supporting the legacy TLS? The OS might still try to make a TLS connection by using the legacy TLS protocol. But if the Microsoft service is no longer supporting the older TLS protocol, the legacy TLS-based connection won't succeed. This will force the OS to try the connection again by using TLS 1.2 instead.

    3 people found this answer helpful.
    0 comments No comments

  2. Limitless Technology 39,746 Reputation points
    2022-02-15T23:06:31.54+00:00

    Hi @Mathias Ottsen

    "A fatal error occurred while creating a TLS client credential. The internal error state is 10013" occurs when the client and server cannot agree on a mutual cipher to use to establish a secure connection.

    If you are having connectivity issues with a specific resource or internet site, for example, then you should review your TLS/SSL settings. These settings can be accessed by running inetcpl.cpl and going to Advanced > Scroll down to Security and note the TLS settings.

    Here is a thread as well that discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.

    A fatal error occurred while creating a TLS client credential. The internal error state is 10013
    https://social.technet.microsoft.com/Forums/office/en-US/5966745a-c792-4c3b-b98b-f2db284413d0/a-fatal-error-occurred-while-creating-a-tls-client-credential-the-internal-error-state-is-10013

    Hope this resolves your Query!!

    --------
    --If the reply is helpful, please Upvote and Accept it as an answer--

    2 people found this answer helpful.

  3. Karl Wester-Ebbinghaus 25 Reputation points
    2023-10-06T08:29:41.38+00:00

    Hi everyone, some state the value has to be 0xffffffff instead of 0x1 (Decimal 1)

    Nartac however patched their product with the following note

    Version 3.2 Build 16 - Released April 11, 2020

    • Added override enabled feature to set Protocols Enabled to 1 instead of 0xffffffff

    The referred guidance still shows that value of one is correct. Where did you see documentation changed to the other value?

    https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/enable-support-tls-environment?tabs=azure-monitor#enable-tls-12-on-client-or-server-operating-systems-

    2 people found this answer helpful.

  4. Joakim Bergquist 6 Reputation points
    2022-08-03T10:25:29.527+00:00

    Any update on this?
    It seems to have shown up on our clients after some of the last months KB patches.
    We see this on random clients now and it affect our 802.1.x wireless authentication with client certificate.

    I have also tried above regfixes etc but nothing seem to help. Microsoft Enterprise support was not very helpful.

    1 person found this answer helpful.
    0 comments No comments

  5. Eke Dubois 6 Reputation points
    2022-08-31T15:42:34.097+00:00

    Same here @Joakim Bergquist

    Post Windows updates, more systems are being affected. Crashing suddenly. Need a fix.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.