Cyber Security / Servers & Services / Software / Tools & Utilities / Web

A fatal error occurred while creating a TLS client credential. The internal error state is 10013 How to fix a nasty TLS error that can flood your Windows Registry when you disable SSL and TLS insecure versions using IISCrypto or other means

- by Ryan - Leave a Comment 212
Triangolo giallo sull'icona Rete di Windows: cosa significa e come eliminarlo

If you stumbled upon this post, it most likely means you are seeing the following error flooding your Windows Registry:

A fatal error occurred while creating a TLS client credential. The internal error state is 10013

The SSPI client process is w3wp (PID: <variable PID number>).

If that's the case, you are in the right place: in this post, we'll take care of that.

Error Explanation

9 times out of 10 the above error is a consequence of disabling SSL 1.0, 2.0, and 3.0 for both Server and Client, as well as TLS 1.0 and TLS 1.1 using Nartac Software's IISCrypto or other techniques. Disabling these protocols is a best practice nowadays, as all of them are considered to be insecure (for good reasons: if you want to know more, read this post). However, if you do that you might cause some compatibility issues with clients or applications that rely on these older protocols: more specifically, you will determine a verified issue if your server hosts web applications relying upon .NET 3.5 or .NET 4.0 frameworks (such as Windows Forms or MVC websites, older versions of Exchange Server, and the likes), which is known to generate the above Windows Registry error we are trying to fix.

To prevent that from happening, we need to perform the following steps:

  • Enable TLS 1.2 for Schannel (which should be automatically done by IISCrypto).
  • Enable TLS 1.2 for .NET 2.0 and 3.5 (which is NOT automatically done, and must be handled manually).
  • Enable TLS 1.2 for .NET 4.0 (which is NOT automatically done, and must be handled manually).

Let's quickly see how we can perform these steps.

Enable TLS 1.2 for Schannel

TLS protocols are enabled or disabled in Windows Schannel by editing the Windows Registry using the Enabled DWORD registry value. If the value is set to 0, the protocol version cannot be used, even if it is enabled by default or if the application explicitly requests that protocol version; if the value is set to 1, the protocol version can be used if enabled by default or if the application explicitly requests that protocol version. If the value is not defined, the operating system’s default value will be used. Additionally, the DisabledByDefault DWORD registry value can be used to define whether the protocol version is used by default. This setting only applies when the application doesn't explicitly request the protocol versions to be used. If the value is set to 0, the protocol version will be available for use by default. If the value is set to 1, the protocol version will not be available for use by default. If the value is not defined, the operating system’s default value will be used.

That said, here's how we can enable TLS 1.2 for Schannel:

  • From Notepad.exe, create a text file named TLS12-Enable-Schannel.reg
  • Copy and paste the following text into the file:
  • Save the TLS12-Enable-Schannel.reg file.
  • Double-click the TLS12-Enable-Schannel.reg file.
  • Click Yes to update your Windows Registry with these changes.
  • Restart the machine for the changes to take effect.

Enable TLS 1.2 for .NET 2.0 and 3.5

This step is required if your server hosts web applications that rely upon .NET Framework v2.0 and/or 3.5.

  • From Notepad.exe, create a text file named TLS12-Enable-NET35.reg
  • Copy and paste the following text into the file:
  • Save the TLS12-Enable-NET35.reg file.
  • Double-click the TLS12-Enable-NET35.reg file.
  • Click Yes to update your Windows Registry with these changes.
  • Restart the machine for the changes to take effect.

Enable TLS 1.2 for .NET 4.x

This step is required if your server hosts web applications that rely upon the .NET Framework v4.x.

  • From Notepad.exe, create a text file named TLS12-Enable-NET4.reg
  • Copy and paste the following text into the file:
  • Save the TLS12-Enable-NET4.reg file.
  • Double-click the TLS12-Enable-NET4.reg file.
  • Click Yes to update your Windows Registry with these changes.
  • Restart the machine for the changes to take effect.

Conclusion

That's it: if you enable TLS 1.2 this way (and reboot your computer), the issue with the Windows Registry error will likely disappear. We hope that this small guide will help other System Administrators (and .NET developers) to get rid of that error.

 

Print Friendly, PDF & EmailPrint Friendly & PDF Download

Related Posts

How to block File Sharing for one or more IP Addresses in Windows

How to disable the Task Scheduler Service on Windows Server A useful method to stop / disable the Task Scheduler Service in all editions of Windows

Zeus Malware (and modern variants) what it is and how to prevent it

Are your HTTPS configuration settings good enough for 2024? A brief review of all the HTTPS protocols (from SSL v1 to TLS v1.3), a list of their known vulnerabilities, and how to secure your web server

Types of Proxy Servers: SOCKS, HTTP(S), FTP, SSL

Types of Proxy Servers: SOCKS, HTTP(S), FTP, SSL A high-level overview of the various proxy server protocols available nowadays and the main benefits they provide

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.