A fatal error occurred while creating a TLS client credential.

Question

Hey guys,

I've created restrictions on our client devices so that they are only allowed to use TLS 1.2

Now in the event viewer i see tons of error messages:

"A fatal error occurred while creating a TLS client credential. The internal error state is 10013."

From a couple of google search (primarily https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls#systemdefaulttlsversions) i've tried the following:

Creating the TLS 1.2 key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
Create subkeys for Client and Server with: DisabledByDefault 0 & Enabled 1

Created dword entries for .net 32 and 64 bit: 'HKLM:\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319' / 'HKLM:\SOFTWARE\Microsoft.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' and SchUseStrongCrypto '1' - Steps repeated for each .net framework key v1.0, v2.0.50727 and forth.

As an example

Our devices are running Windows 10 Enterprise edition. I've tried to test the changes on my device which is running 20H2.

Anyone with an idea of how i can proceed with the troubleshooting?

Answer 1

There is an issue with the Microsoft documentation on enabling TLS and other security protocols.
Older documentation shows setting via registry key needs a DWORD enabled = 1

later documentation shows the DWORD enabled = ffffffff

I have tested it recently and enabled =1 did not work it had to be ffffffff.

Nartac's IIS Crypto GUI app also sets ffffffff . Try using that app https://www.nartac.com/Products/IISCrypto/Download

to set your servers and clients to Best Practices and rebooting. See if that helps.

However, I am finding some articles online that show the errors can also be logged when a slow network response causes the client to fall back to a deprecated version of TLS before 1.2 despite TLS 1.2 being correctly enabled.

https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/enable-support-tls-environment?tabs=azure-monitor#enable-tls-12-on-client-or-server-operating-systems-

Note

By default, an OS that supports TLS 1.2 (for example, Windows 10) also supports legacy versions of the TLS protocol. When a connection is made by using TLS 1.2 and it doesn't get a timely response, or when the connection is reset, the OS might try to connect to the target web service by using an older TLS protocol (such as TLS 1.0 or 1.1). This usually occurs if the network is busy, or if a packet drops in the network. After the temporary fallback to the legacy TLS, the OS will try again to make a TLS 1.2 connection.

What will be the status of such fallback traffic after Microsoft stops supporting the legacy TLS? The OS might still try to make a TLS connection by using the legacy TLS protocol. But if the Microsoft service is no longer supporting the older TLS protocol, the legacy TLS-based connection won't succeed. This will force the OS to try the connection again by using TLS 1.2 instead.

Answer 2

Hi @Mathias Ottsen

"A fatal error occurred while creating a TLS client credential. The internal error state is 10013" occurs when the client and server cannot agree on a mutual cipher to use to establish a secure connection.

If you are having connectivity issues with a specific resource or internet site, for example, then you should review your TLS/SSL settings. These settings can be accessed by running inetcpl.cpl and going to Advanced > Scroll down to Security and note the TLS settings.

Here is a thread as well that discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.

A fatal error occurred while creating a TLS client credential. The internal error state is 10013
https://social.technet.microsoft.com/Forums/office/en-US/5966745a-c792-4c3b-b98b-f2db284413d0/a-fatal-error-occurred-while-creating-a-tls-client-credential-the-internal-error-state-is-10013

Hope this resolves your Query!!

--------
--If the reply is helpful, please Upvote and Accept it as an answer--

Answer 3

Hi everyone, some state the value has to be 0xffffffff instead of 0x1 (Decimal 1)

Nartac however patched their product with the following note

Version 3.2 Build 16 - Released April 11, 2020

• Added override enabled feature to set Protocols Enabled to 1 instead of 0xffffffff

The referred guidance still shows that value of one is correct. Where did you see documentation changed to the other value?

https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/enable-support-tls-environment?tabs=azure-monitor#enable-tls-12-on-client-or-server-operating-systems-

Answer 4

Any update on this?
It seems to have shown up on our clients after some of the last months KB patches.
We see this on random clients now and it affect our 802.1.x wireless authentication with client certificate.

I have also tried above regfixes etc but nothing seem to help. Microsoft Enterprise support was not very helpful.

Answer 5

Same here @Joakim Bergquist

Post Windows updates, more systems are being affected. Crashing suddenly. Need a fix.