none
A fatal error occurred while creating a TLS client credential. The internal error state is 10013 RRS feed

Answers

  • Hi,

    To enable TLS 1.2 on Exchange server, first we need to ensure that your Exchange server is ready for this:

    Exchange Server 2016
    Install Cumulative Update (CU) 8 in production for TLS 1.2 support and be ready to upgrade to CU9 after its release if you need to disable TLS 1.0 and TLS 1.1.
    Install the newest version of .NET and associated patches supported by your CU (currently 4.7.1).

    Windows Server 2016
    TLS 1.2 is the default security protocol for Schannel and consumable by WinHTTP.
    Ensure you have installed the most recent Monthly Quality Update along with any other offered Windows updates.

    Then make sure you have enabled TLS 1.2 for Schannel and for .NET, disable TLS 1.0 and 1.1 in Schannel, follow the steps described in the articles below:

    Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It
    Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1

    Hope it helps.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, November 29, 2018 8:57 AM
    Moderator

All replies

  • Hi,

    To enable TLS 1.2 on Exchange server, first we need to ensure that your Exchange server is ready for this:

    Exchange Server 2016
    Install Cumulative Update (CU) 8 in production for TLS 1.2 support and be ready to upgrade to CU9 after its release if you need to disable TLS 1.0 and TLS 1.1.
    Install the newest version of .NET and associated patches supported by your CU (currently 4.7.1).

    Windows Server 2016
    TLS 1.2 is the default security protocol for Schannel and consumable by WinHTTP.
    Ensure you have installed the most recent Monthly Quality Update along with any other offered Windows updates.

    Then make sure you have enabled TLS 1.2 for Schannel and for .NET, disable TLS 1.0 and 1.1 in Schannel, follow the steps described in the articles below:

    Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It
    Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1

    Hope it helps.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, November 29, 2018 8:57 AM
    Moderator
  • Just checking in to see if above information was helpful. Please let us know if you would like further assistance.

    Regards, 

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to shareexplore and talk to experts about Microsoft Teams.

    Monday, December 3, 2018 9:16 AM
    Moderator
  • Sorry for the delay replying but other work has taken priority.

    Thanks for your reply, we are currently running CU11 (which now supports .NET 4.72 as well as 4.71)

    I've seen the articles you referenced before, shame I didn't read them properly! What I has missed was 'Enable TLS 1.2 for .NET 4.x' in the Part 2 article. What's a bit odd is that although this article is about Enabling TLS 1.2, TLS 1.2 has been working fine for over a month (apart from the Schannel errors).

    It's only been half an hour but since making the registry changes and restarting we haven't had a single Schannel error and as we were getting 10-20 per second it looks as though it is fixed.

    Wednesday, December 5, 2018 12:07 AM
  • This worked for me.  We had to Enable TLS 1.2 for .NET 4.x.   We were also already running CU11 (as installed when we installed Exchange).

    We are running Exchange 2016 with TLS 1.1 and 1.2 enabled.  

    Wednesday, December 5, 2018 3:34 PM