Disabling TLS 1.0 causes errors Server 2012R2

I am in the process of setting up our Windows Server 2012R2 VM in Azure for PCI compliant ciphers and protocols. When I disable TLS 1.0 I get an error in my system log:

A fatal error occurred while creating an SSL client credential. The internal error state is 10013.
with an Event ID of 36871

Most of the answers I have seen are for server 2008 and in regards to SMTP. There is nothing that runs SMTP on this server, it's just an IIS box hosting a few web services. RDP works just fine, everything else seems fine, kind of confused as to why disabling TLS 1.0 would do this. When I re-enable it, the errors go away.  

Any Suggestions?

Error image
Shane MacNeillSr VP of ITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jose Gabriel Ortega CastroEE Solution Guide - CEO Faru Bonon ITCommented:
Try this script:

Probably it will solve all the issues.

PS: Not sure but I think that tls 1.2 and tls 1.1 are enabled by default on those.
I think that my script can actually make the use of the tls 1.2 and fix any error with ssl.

Where are you getting those errors? what is the source?

Shane MacNeillSr VP of ITAuthor Commented:
Hello thank you for your answer,

as far as where these are coming from, I have no idea. all I have been able to figure out is disabling TLS 1.0, starts them in the error as shown in the image above. I enable it and the errors stop.

I took a look at the script. but I am iffy on running scripts and prefer to do do it myself. I tried a script last year, that was supposed to resolve an issue and it took me 3 hours to reverse as no documentation was written on what it changed, and no way to reverse but manually doing it.
According to Microsoft.

This is an erroneous Event log entry. You can safely ignore this message. To prevent this Event log entry, you must assign a certificate to the SMTP site.

See here.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Tell them to fix their app/server, see the article here.

.NET has an out of the box hard set for lower crytpo.

This is definitely an app issue from what you have described.
btanExec ConsultantCommented:
Disabling TLS 1.0 will break RDP under default settings. Normally you should be able to disable use of certain ciphers or prioritize ciphers.  You may want to try IISCrypt tool. https://www.nartac.com/Products/IISCrypto/

If you would like to continue with TLS 1.0 disabled you may change the RDP Security Layer.  To do this please open Terminal Services Configuration (tsconfig.msc), double-click RDP-Tcp, change Security Layer to RDP Security Layer.

Note:  You are vulnerable to MITM attack when using RDP Security Layer because there is no Server Authentication.  If you are running RDP over a VPN connection and there is no risk for interception then this may be okay.

 I recommend you re-enable TLS 1.0 and have a ssl certificate from a public authority set on your RDP-Tcp listener.
Shane MacNeillSr VP of ITAuthor Commented:
Well after some traffic watching and a bit of research, all apps that should be talking with SSL are doing what they should be. I went through all avenues

1. @btan - has nothing to do with RDP. Since server 2012 + all RDP connections support TLS 1.2 / omitted this answer
2. @Jose - I write scripts, but any script that is not reversible in a short timeframe, I don't bother with anymore. I do see what it's doing so attempted it manually myself, and got the same issue.
@learnctx - I am not running an SMTP server on this machine, and after a traffic trace, nothing is communicating on port 25 or 465. but just out of curiosity, I installed IIS 6.0 and added a local default SMTP server, set a certificate for it, then uninstalled. Low and behold that solved it. even though there was or is no SMTP server installed or service running now, it was apparently looking for it.
Shane MacNeillSr VP of ITAuthor Commented:
didn't know how to layout the solution ticks for this, did what I thought was accurate.
I installed IIS 6.0 and added a local default SMTP server, set a certificate for it, then uninstalled. Low and behold that solved it. even though there was or is no SMTP server installed or service running now, it was apparently looking for it.

That is really interesting. Thanks for posting the updated info.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.