none
Event ID 36871 A fatal error occurred while creating a TLS client credential. The internal error state is 10013. RRS feed

  • Question

  • We have two exchange 2016 std servers in a DAG environment.  We are on CU 10 and we have disabled TLS 1.0 and TLS 1.1  but TLS 1.2 is enabled and followed all three guidelines on how to disable TLS 1.0 and 1.1 i our environment.

    Since installing 2018-11 (2016) updates last Friday(11/23) I have been noticing certain times of the day on the exchange server(s) we are getting several of these errors.

                                         


    Event ID 36871 A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

    Before 7am there could be none and around 7:15 am there can be 60.

    Also we didn’t have any errors Saturday or Sunday or this past Wednesday.  Which is very odd.

    The error are not continuous and by 9:30 there could be none in the last hour.

    Before 11/23/2017  the last time we had any of these was 10/17

    any help or insight into why these errors are now occurring would be great.

    again they did not start happening until we installed KB4465659 and KB4467691 and  KB890830


    Jeff Tresnak

    Friday, November 30, 2018 1:39 PM

Answers

  • I believe I solve my problem. 

    Difference 1

    I skipped the Enable TLS 1.2 for .NET 3.5 as the directions said to do " Exchange Server 2013 or Later installations may skip this step unless you have additional applications on the server utilizing .NET 3.5 which must be able to use TLS 1.2"

    I did skip this because we have 2016 server.  My advice is not to skip it.  Since the only time we received these errors is when I used remote desktop so my guess is they might use .net 3.5

    Difference 2   I applied the same disabledbydefault and enabled logic for disabling TLS 1 and 1.1 to SSL 2.0 and 3.0  I undid this and left it like it was before I changed anything and no more  Schannel errors Event ID:      36871

    So in one case I did exactly what directions said and the other case I applied the directions to all the protocols.  anyways no more errors.   I hope this helps someone.

    Thanks


    Jeff Tresnak

    • Marked as answer by Jeff Tresnak Friday, June 21, 2019 6:21 PM
    Friday, June 21, 2019 6:21 PM

All replies

  • Hi Jeff Tresnak,

    From this thread, we can know this event is related to Schannel, you can try with steps below:

    1. In Control Panel, click Administrative Tools, and then double-click Local Security Policy.

    2. In Local Security Settings, expand Local Policies, and then click Security Options.

    3. Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled.

    4. Ran gpupdate /force

    If it doesn’t work, please go to C:\ProgramData\Microsoft\Crypto\RSA and grant "Network Services" Read permission to "MachineKeys" folder. Then restart the server to have a try.

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, December 3, 2018 4:14 AM
    Moderator
  • Thank you for your help but

    I found that post before I entered this question.   Neither of those suggestions stopped these Schannel errors from happening.  Unfortunately that is not the answer.    Again I would like to re-iterate we did not get any schannel errors since 10/17/18.   The only thing that happened on 11/23/2018 was installing the following three updates  2018-11 Update for Windows Server 2016 for x64-based Systems KB4465659

    2018-11 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4467691)

    Windows Malicious Software Removal Tool x64 - November 2018 (KB890830)

    I believe these updates caused these errors to start happening again....


    Jeff Tresnak

    Wednesday, December 5, 2018 1:55 PM
  • Hi Jeff Tresnak,

    Did you try to uninstall those two KB? Whether this Event gone?

    I would also suggest you try to update Exchange to the latest version. Note: Before updating Exchange 2016 to CU 11, you should run prepare AD with Exchange 2016 CU 11 media first.

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, December 10, 2018 9:46 AM
    Moderator
  • I have installed CU12 and this still is a problem on both exchange servers.  In the schannel event after using remote desktop to connect to server there are 68 schannel errors consistently.

    Log Name:      System

    Source:        Schannel

    Date:          6/21/2019 8:25:25 AM

    Event ID:      36871

    Task Category: None

    Level:         Error

    Keywords:     

    User:          SYSTEM

    Computer:      EHS21542128.XXXXXXX.local

    Description:

    A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

    Event Xml:

    Interestingly enough when I re-enable tls 1.0 these errors disappear.

    It's very odd that in the exchange team blog 

    Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2

    and part 2 and part 3 it does not mention anywhere how to solve this  problem or that this might happen as a direct result of disabling tls 1.0 on any server.   Any insight would be great.   We have group policies in place to disable tls 1.0 and 1.1 on all desktop computers.   So I do not know why this is happening.


    Jeff Tresnak

    Friday, June 21, 2019 2:00 PM
  • I believe I solve my problem. 

    Difference 1

    I skipped the Enable TLS 1.2 for .NET 3.5 as the directions said to do " Exchange Server 2013 or Later installations may skip this step unless you have additional applications on the server utilizing .NET 3.5 which must be able to use TLS 1.2"

    I did skip this because we have 2016 server.  My advice is not to skip it.  Since the only time we received these errors is when I used remote desktop so my guess is they might use .net 3.5

    Difference 2   I applied the same disabledbydefault and enabled logic for disabling TLS 1 and 1.1 to SSL 2.0 and 3.0  I undid this and left it like it was before I changed anything and no more  Schannel errors Event ID:      36871

    So in one case I did exactly what directions said and the other case I applied the directions to all the protocols.  anyways no more errors.   I hope this helps someone.

    Thanks


    Jeff Tresnak

    • Marked as answer by Jeff Tresnak Friday, June 21, 2019 6:21 PM
    Friday, June 21, 2019 6:21 PM