none
A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

    Question

  • Hi All

    I am seeing the below event appearing in the system log on all our Exchange 2013 servers regularly. I am not seeing any connectivity issues between any clients and the servers and no other issues have been reported at this stage.

    Log Name:      System
    Source:        Schannel
    Date:          10/04/2015 9:21:17 AM
    Event ID:      36871
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:     
    Description:
    A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

    I am not sure if its related to the public certificate we are using or if its related to the one provided from the local CA.I have searched and found other links that suggest it could be related to SSL versions being disabled etc.

    All servers are running Windows 2012 R2 Datacenter. The Exchange CAS servers do also sit behind a pair of F5 BIG IP Load Balancers 

    Any suggestions on where to look?

    Thanks


    Friday, April 10, 2015 2:39 AM

Answers

All replies

  • Hi,

    According to the event log, the issue is related to Schannel instead of Exchange. Please try the following steps:

    1.In Control Panel, click Administrative Tools, and then double-click Local Security Policy.

    2.In Local Security Settings, expand Local Policies, and then click Security Options.

    3.Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled.

    4. Ran gpupdate /force

    If it doesn’t work, please go to C:\ProgramData\Microsoft\Crypto\RSA and grant "Network Services" Read permission to "MachineKeys" folder. Then restart server to have a try.

    Here is a similar thread for your reference:

    https://social.technet.microsoft.com/Forums/lync/en-US/e70a8dbc-6f48-4fde-a93b-783554344822/a-fatal-error-occurred-when-attempting-to-access-the-ssl-client-credential-private-key?forum=ocscertificates

    Regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Winnie Liang
    TechNet Community Support

    Monday, April 13, 2015 9:03 AM
    Moderator
  • Hi,

    Any updates?

    Regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Winnie Liang
    TechNet Community Support

    Wednesday, April 15, 2015 2:43 AM
    Moderator
  •   I have the same error, and tried your steps, but getting the error :(
    Thursday, March 31, 2016 3:02 PM
  • Hi,

    According to the event log, the issue is related to Schannel instead of Exchange. Please try the following steps:

    1.In Control Panel, click Administrative Tools, and then double-click Local Security Policy.

    2.In Local Security Settings, expand Local Policies, and then click Security Options.

    3.Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled.

    4. Ran gpupdate /force

    If it doesn’t work, please go to C:\ProgramData\Microsoft\Crypto\RSA and grant "Network Services" Read permission to "MachineKeys" folder. Then restart server to have a try.

    Here is a similar thread for your reference:

    https://social.technet.microsoft.com/Forums/lync/en-US/e70a8dbc-6f48-4fde-a93b-783554344822/a-fatal-error-occurred-when-attempting-to-access-the-ssl-client-credential-private-key?forum=ocscertificates

    Regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Winnie Liang
    TechNet Community Support

    Good advice, it fixed my issues with ADFS, I was configured ADFS to listen only on TLS 1.2 but immediately after that fatal error.

    Thanks.

    Tuesday, August 2, 2016 10:37 AM
  • Enabling FIPS did work but it broke several other things on our network. We then used IISCrypto and enabled server defaults and this finally resolved the issue.
    Wednesday, November 30, 2016 3:53 PM
  • that's not a good idea. better check the protocols (SSL/TLS) enabled on that specific server.
    Monday, January 1, 2018 10:41 AM
  • Thank you so much!!! This worked for me and I have been banging my head for two days.
    Thursday, May 31, 2018 2:37 PM
  • Enabling Fips Compliance gets rid of the Schannel error, but it breaks Exchange 2016 and one of the services crashes.

    Thursday, June 7, 2018 2:54 PM
  • I tried to configure the ODBC settings and got the error in windows 2012 R2.

    Error:

    event id 36871 windows 2012 r2 A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

    This solution fixed this,

    1.In Control Panel, click Administrative Tools, and then double-click Local Security Policy.

    2.In Local Security Settings, expand Local Policies, and then click Security Options.

    3.Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled.

    4. Ran gpupdate /force

    Regards,

    Leo vinoth Louis


    • Edited by leovinoth Thursday, June 7, 2018 9:05 PM
    Thursday, June 7, 2018 9:03 PM
  • Enabling FIPS cleared the issue for me
    Tuesday, September 4, 2018 6:37 PM
  • This didn't work for me.
    Friday, November 2, 2018 2:32 PM
  • Enabling FIPS is not the solution. FIPS = Federal Information Processing Standards.

    When a company needs to be PCI compliant then FIPS is not an option. Rather one would need to know which protocol or cipher is not working out for server. I'm guessing if you enable SSL then error goes away, but that's not an option. Thus there must be other way of fixing this problem.

    Thursday, November 15, 2018 8:06 AM
  • Hello

    This error is likely being caused by disabling TLS1.0 in the Registry.

    When you Enable FIPS it actually also enables TLS1.0 behind the scenes and overrides other registry keys that harden Schannel.

    The best thing to do is to download iiscrypto.exe and Enable TLS1.0 and reboot. you will notice that these items will go away. Instead of using the server default in IISCrypto just Re-enable TLS1.0 and you should be good to go

    Note I see these errors in my Exchange 2013 environment and I ignore them. So far nothing has actually stopped working, and this way I have been able to enforce TLS1.1 and TLS 1.2 for my Exchange Frontend Website (OWA, ECP, etc)

    I also am using an ECC certificate for better performance and security instead of a RSA Cert.

    Wednesday, November 21, 2018 3:48 AM
  • I don't think it's good advice to enable TLS 1.0 to get rid of errors! Early TLS (and SSL too) is not safe to use any more and hasn't been for a while now.

    Source (I picked one, there's many): 

    https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls


    • Edited by TheRitz NL Thursday, November 22, 2018 6:18 AM
    Thursday, November 22, 2018 6:18 AM
  • I and another user had the same issue with a 2016 Exchange Server.

    In both our cases enabling FIPS stopped mail transfer and making permission changes the MachineKeys folder completely broke our installations and we both had to restore from backup.

    I did find a solution to my problem which required registry changes to .NET to enable support for TLS 1.2. Full details are here: https://social.technet.microsoft.com/Forums/office/en-US/5966745a-c792-4c3b-b98b-f2db284413d0/a-fatal-error-occurred-while-creating-a-tls-client-credential-the-internal-error-state-is-10013?forum=Exch2016Adm

    Wednesday, December 5, 2018 12:14 AM