• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 434
  • Last Modified:

Disabling TLS 1.0 causes errors Server 2012R2

I am in the process of setting up our Windows Server 2012R2 VM in Azure for PCI compliant ciphers and protocols. When I disable TLS 1.0 I get an error in my system log:

A fatal error occurred while creating an SSL client credential. The internal error state is 10013.
with an Event ID of 36871

Most of the answers I have seen are for server 2008 and in regards to SMTP. There is nothing that runs SMTP on this server, it's just an IIS box hosting a few web services. RDP works just fine, everything else seems fine, kind of confused as to why disabling TLS 1.0 would do this. When I re-enable it, the errors go away.  

Any Suggestions?

Error image
Shane MacNeill
Shane MacNeill
2 Solutions
Jose Gabriel Ortega CCEO J0rt3g4 Consulting ServicesCommented:
Try this script:

Probably it will solve all the issues.

PS: Not sure but I think that tls 1.2 and tls 1.1 are enabled by default on those.
I think that my script can actually make the use of the tls 1.2 and fix any error with ssl.

Where are you getting those errors? what is the source?

Shane MacNeillSr VP of ITAuthor Commented:
Hello thank you for your answer,

as far as where these are coming from, I have no idea. all I have been able to figure out is disabling TLS 1.0, starts them in the error as shown in the image above. I enable it and the errors stop.

I took a look at the script. but I am iffy on running scripts and prefer to do do it myself. I tried a script last year, that was supposed to resolve an issue and it took me 3 hours to reverse as no documentation was written on what it changed, and no way to reverse but manually doing it.
According to Microsoft.

This is an erroneous Event log entry. You can safely ignore this message. To prevent this Event log entry, you must assign a certificate to the SMTP site.

See here.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tell them to fix their app/server, see the article here.

.NET has an out of the box hard set for lower crytpo.

This is definitely an app issue from what you have described.
btanExec ConsultantCommented:
Disabling TLS 1.0 will break RDP under default settings. Normally you should be able to disable use of certain ciphers or prioritize ciphers.  You may want to try IISCrypt tool. https://www.nartac.com/Products/IISCrypto/

If you would like to continue with TLS 1.0 disabled you may change the RDP Security Layer.  To do this please open Terminal Services Configuration (tsconfig.msc), double-click RDP-Tcp, change Security Layer to RDP Security Layer.

Note:  You are vulnerable to MITM attack when using RDP Security Layer because there is no Server Authentication.  If you are running RDP over a VPN connection and there is no risk for interception then this may be okay.

 I recommend you re-enable TLS 1.0 and have a ssl certificate from a public authority set on your RDP-Tcp listener.
Shane MacNeillSr VP of ITAuthor Commented:
Well after some traffic watching and a bit of research, all apps that should be talking with SSL are doing what they should be. I went through all avenues

1. @btan - has nothing to do with RDP. Since server 2012 + all RDP connections support TLS 1.2 / omitted this answer
2. @Jose - I write scripts, but any script that is not reversible in a short timeframe, I don't bother with anymore. I do see what it's doing so attempted it manually myself, and got the same issue.
@learnctx - I am not running an SMTP server on this machine, and after a traffic trace, nothing is communicating on port 25 or 465. but just out of curiosity, I installed IIS 6.0 and added a local default SMTP server, set a certificate for it, then uninstalled. Low and behold that solved it. even though there was or is no SMTP server installed or service running now, it was apparently looking for it.
Shane MacNeillSr VP of ITAuthor Commented:
didn't know how to layout the solution ticks for this, did what I thought was accurate.
I installed IIS 6.0 and added a local default SMTP server, set a certificate for it, then uninstalled. Low and behold that solved it. even though there was or is no SMTP server installed or service running now, it was apparently looking for it.

That is really interesting. Thanks for posting the updated info.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now