Table of Contents
If you stumbled upon this post, it most likely means you are seeing the following error flooding your Windows Registry:
A fatal error occurred while creating a TLS client credential. The internal error state is 10013
The SSPI client process is w3wp (PID: <variable PID number>).
If that's the case, you are in the right place: in this post, we'll take care of that.
Error Explanation
9 times out of 10 the above error is a consequence of disabling SSL 1.0, 2.0, and 3.0 for both Server and Client, as well as TLS 1.0 and TLS 1.1 using Nartac Software's IISCrypto or other techniques. Disabling these protocols is a best practice nowadays, as all of them are considered to be insecure (for good reasons: if you want to know more, read this post). However, if you do that you might cause some compatibility issues with clients or applications that rely on these older protocols: more specifically, you will determine a verified issue if your server hosts web applications relying upon .NET 3.5 or .NET 4.0 frameworks (such as Windows Forms or MVC websites, older versions of Exchange Server, and the likes), which is known to generate the above Windows Registry error we are trying to fix.
To prevent that from happening, we need to perform the following steps:
- Enable TLS 1.2 for Schannel (which should be automatically done by IISCrypto).
- Enable TLS 1.2 for .NET 2.0 and 3.5 (which is NOT automatically done, and must be handled manually).
- Enable TLS 1.2 for .NET 4.0 (which is NOT automatically done, and must be handled manually).
Let's quickly see how we can perform these steps.
Enable TLS 1.2 for Schannel
TLS protocols are enabled or disabled in Windows Schannel by editing the Windows Registry using the Enabled DWORD registry value. If the value is set to 0, the protocol version cannot be used, even if it is enabled by default or if the application explicitly requests that protocol version; if the value is set to 1, the protocol version can be used if enabled by default or if the application explicitly requests that protocol version. If the value is not defined, the operating system’s default value will be used. Additionally, the DisabledByDefault DWORD registry value can be used to define whether the protocol version is used by default. This setting only applies when the application doesn't explicitly request the protocol versions to be used. If the value is set to 0, the protocol version will be available for use by default. If the value is set to 1, the protocol version will not be available for use by default. If the value is not defined, the operating system’s default value will be used.
That said, here's how we can enable TLS 1.2 for Schannel:
- From Notepad.exe, create a text file named TLS12-Enable-Schannel.reg
- Copy and paste the following text into the file:
1 2 3 4 5 6 7 8 |
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 |
- Save the TLS12-Enable-Schannel.reg file.
- Double-click the TLS12-Enable-Schannel.reg file.
- Click Yes to update your Windows Registry with these changes.
- Restart the machine for the changes to take effect.
Enable TLS 1.2 for .NET 2.0 and 3.5
This step is required if your server hosts web applications that rely upon .NET Framework v2.0 and/or 3.5.
- From Notepad.exe, create a text file named TLS12-Enable-NET35.reg
- Copy and paste the following text into the file:
1 2 3 4 5 |
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 |
- Save the TLS12-Enable-NET35.reg file.
- Double-click the TLS12-Enable-NET35.reg file.
- Click Yes to update your Windows Registry with these changes.
- Restart the machine for the changes to take effect.
Enable TLS 1.2 for .NET 4.x
This step is required if your server hosts web applications that rely upon the .NET Framework v4.x.
- From Notepad.exe, create a text file named TLS12-Enable-NET4.reg
- Copy and paste the following text into the file:
1 2 3 4 5 |
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 |
- Save the TLS12-Enable-NET4.reg file.
- Double-click the TLS12-Enable-NET4.reg file.
- Click Yes to update your Windows Registry with these changes.
- Restart the machine for the changes to take effect.
Conclusion
That's it: if you enable TLS 1.2 this way (and reboot your computer), the issue with the Windows Registry error will likely disappear. We hope that this small guide will help other System Administrators (and .NET developers) to get rid of that error.