none
A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

    Question

  • Hi All

    I am seeing the below event appearing in the system log on all our Exchange 2013 servers regularly. I am not seeing any connectivity issues between any clients and the servers and no other issues have been reported at this stage.

    Log Name:      System
    Source:        Schannel
    Date:          10/04/2015 9:21:17 AM
    Event ID:      36871
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:     
    Description:
    A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

    I am not sure if its related to the public certificate we are using or if its related to the one provided from the local CA.I have searched and found other links that suggest it could be related to SSL versions being disabled etc.

    All servers are running Windows 2012 R2 Datacenter. The Exchange CAS servers do also sit behind a pair of F5 BIG IP Load Balancers 

    Any suggestions on where to look?

    Thanks


    Friday, April 10, 2015 2:39 AM

Answers

All replies

  • Hi,

    According to the event log, the issue is related to Schannel instead of Exchange. Please try the following steps:

    1.In Control Panel, click Administrative Tools, and then double-click Local Security Policy.

    2.In Local Security Settings, expand Local Policies, and then click Security Options.

    3.Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled.

    4. Ran gpupdate /force

    If it doesn’t work, please go to C:\ProgramData\Microsoft\Crypto\RSA and grant "Network Services" Read permission to "MachineKeys" folder. Then restart server to have a try.

    Here is a similar thread for your reference:

    https://social.technet.microsoft.com/Forums/lync/en-US/e70a8dbc-6f48-4fde-a93b-783554344822/a-fatal-error-occurred-when-attempting-to-access-the-ssl-client-credential-private-key?forum=ocscertificates

    Regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Winnie Liang
    TechNet Community Support

    Monday, April 13, 2015 9:03 AM
    Moderator
  • Hi,

    Any updates?

    Regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Winnie Liang
    TechNet Community Support

    Wednesday, April 15, 2015 2:43 AM
    Moderator
  •   I have the same error, and tried your steps, but getting the error :(
    Thursday, March 31, 2016 3:02 PM
  • Hi,

    According to the event log, the issue is related to Schannel instead of Exchange. Please try the following steps:

    1.In Control Panel, click Administrative Tools, and then double-click Local Security Policy.

    2.In Local Security Settings, expand Local Policies, and then click Security Options.

    3.Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled.

    4. Ran gpupdate /force

    If it doesn’t work, please go to C:\ProgramData\Microsoft\Crypto\RSA and grant "Network Services" Read permission to "MachineKeys" folder. Then restart server to have a try.

    Here is a similar thread for your reference:

    https://social.technet.microsoft.com/Forums/lync/en-US/e70a8dbc-6f48-4fde-a93b-783554344822/a-fatal-error-occurred-when-attempting-to-access-the-ssl-client-credential-private-key?forum=ocscertificates

    Regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Winnie Liang
    TechNet Community Support

    Good advice, it fixed my issues with ADFS, I was configured ADFS to listen only on TLS 1.2 but immediately after that fatal error.

    Thanks.

    Tuesday, August 2, 2016 10:37 AM
  • Enabling FIPS did work but it broke several other things on our network. We then used IISCrypto and enabled server defaults and this finally resolved the issue.
    Wednesday, November 30, 2016 3:53 PM
  • that's not a good idea. better check the protocols (SSL/TLS) enabled on that specific server.
    Monday, January 1, 2018 10:41 AM
  • Thank you so much!!! This worked for me and I have been banging my head for two days.
    Thursday, May 31, 2018 2:37 PM
  • Enabling Fips Compliance gets rid of the Schannel error, but it breaks Exchange 2016 and one of the services crashes.

    Thursday, June 7, 2018 2:54 PM
  • I tried to configure the ODBC settings and got the error in windows 2012 R2.

    Error:

    event id 36871 windows 2012 r2 A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

    This solution fixed this,

    1.In Control Panel, click Administrative Tools, and then double-click Local Security Policy.

    2.In Local Security Settings, expand Local Policies, and then click Security Options.

    3.Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled.

    4. Ran gpupdate /force

    Regards,

    Leo vinoth Louis


    • Edited by leovinoth Thursday, June 7, 2018 9:05 PM
    Thursday, June 7, 2018 9:03 PM