Disabling TLS 1.0 causes errors Server 2012R2
I am in the process of setting up our Windows Server 2012R2 VM in Azure for PCI compliant ciphers and protocols. When I disable TLS 1.0 I get an error in my system log:
A fatal error occurred while creating an SSL client credential. The internal error state is 10013.
with an Event ID of 36871
Most of the answers I have seen are for server 2008 and in regards to SMTP. There is nothing that runs SMTP on this server, it's just an IIS box hosting a few web services. RDP works just fine, everything else seems fine, kind of confused as to why disabling TLS 1.0 would do this. When I re-enable it, the errors go away.
Any Suggestions?
A fatal error occurred while creating an SSL client credential. The internal error state is 10013.
with an Event ID of 36871
Most of the answers I have seen are for server 2008 and in regards to SMTP. There is nothing that runs SMTP on this server, it's just an IIS box hosting a few web services. RDP works just fine, everything else seems fine, kind of confused as to why disabling TLS 1.0 would do this. When I re-enable it, the errors go away.
Any Suggestions?
ASKER
Hello thank you for your answer,
as far as where these are coming from, I have no idea. all I have been able to figure out is disabling TLS 1.0, starts them in the error as shown in the image above. I enable it and the errors stop.
I took a look at the script. but I am iffy on running scripts and prefer to do do it myself. I tried a script last year, that was supposed to resolve an issue and it took me 3 hours to reverse as no documentation was written on what it changed, and no way to reverse but manually doing it.
as far as where these are coming from, I have no idea. all I have been able to figure out is disabling TLS 1.0, starts them in the error as shown in the image above. I enable it and the errors stop.
I took a look at the script. but I am iffy on running scripts and prefer to do do it myself. I tried a script last year, that was supposed to resolve an issue and it took me 3 hours to reverse as no documentation was written on what it changed, and no way to reverse but manually doing it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Tell them to fix their app/server, see the article here.
This is definitely an app issue from what you have described.
.NET has an out of the box hard set for lower crytpo.
This is definitely an app issue from what you have described.
Disabling TLS 1.0 will break RDP under default settings. Normally you should be able to disable use of certain ciphers or prioritize ciphers. You may want to try IISCrypt tool. https://www.nartac.com/Products/IISCrypto/
If you would like to continue with TLS 1.0 disabled you may change the RDP Security Layer. To do this please open Terminal Services Configuration (tsconfig.msc), double-click RDP-Tcp, change Security Layer to RDP Security Layer.
Note: You are vulnerable to MITM attack when using RDP Security Layer because there is no Server Authentication. If you are running RDP over a VPN connection and there is no risk for interception then this may be okay.
I recommend you re-enable TLS 1.0 and have a ssl certificate from a public authority set on your RDP-Tcp listener.
If you would like to continue with TLS 1.0 disabled you may change the RDP Security Layer. To do this please open Terminal Services Configuration (tsconfig.msc), double-click RDP-Tcp, change Security Layer to RDP Security Layer.
Note: You are vulnerable to MITM attack when using RDP Security Layer because there is no Server Authentication. If you are running RDP over a VPN connection and there is no risk for interception then this may be okay.
I recommend you re-enable TLS 1.0 and have a ssl certificate from a public authority set on your RDP-Tcp listener.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
didn't know how to layout the solution ticks for this, did what I thought was accurate.
I installed IIS 6.0 and added a local default SMTP server, set a certificate for it, then uninstalled. Low and behold that solved it. even though there was or is no SMTP server installed or service running now, it was apparently looking for it.
That is really interesting. Thanks for posting the updated info.
https://gallery.technet.microsoft.com/scriptcenter/Solve-SWEET32-Birthday-d2df9cf1
Probably it will solve all the issues.
PS: Not sure but I think that tls 1.2 and tls 1.1 are enabled by default on those.
I think that my script can actually make the use of the tls 1.2 and fix any error with ssl.
Where are you getting those errors? what is the source?
Jose.