This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 65%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Hello All,
We recently moved to SCOM 2019 since then we have been receiving the below errors in the System event logs on all of the SCOM management servers.
Event ID: 36871
Event Source: Schannel
Description: A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
All SCOM Management servers are running on windows server 2019.
kindly assist us on this.
Regards,
Kumar B
Hi @kumaravelu ,
Do you see this event in the System Log? What makes you think that it is related to SCOM? What TLS Version is currentl configured:
Can you please go over this post and see if this is also helpful:
A fatal error occurred while creating a TLS client credential. The internal error state is 10013
https://social.technet.microsoft.com/Forums/en-US/fd626e47-9ee7-41c5-b11a-ae696e3b6b5b/a-fatal-error-occurred-while-creating-a-tls-client-credential-the-internal-error-state-is-10013?forum=ws2016
A fatal error occurred while creating a TLS client credential. The internal error state is 10013
https://stackoverflow.com/questions/53121859/a-fatal-error-occurred-while-creating-a-tls-client-credential-the-internal-erro
Please check those out and I am pretty sure that those will help you.
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Stoyan Chalakov
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@kumaravelu , Research and find a similar issue. in that case, these SCHANNEL 36871 events being logged are due to a configuration on the server itself.
Here is the resolution for that issue for the reference:
1.Made the necessary modifications from the following
https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
Transport Layer Security (TLS) best practices with the .NET Framework.
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
Note: please do a backup before we change any registry key.
2.After these modifications are made to enable .NET to utilize more secure TLS versions a reboot is required.
3.After this is accomplished the SCHANNEL events are no more.
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@kumaravelu , How are things going? Was our issue resolved? If there's any update, feel free to let us know.
Thanks and have a nice day!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 24%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGT%3C/text%3E%3C/svg%3E)
This doesn't work. On all my Server 2016 machines the SCHANNEL 36871 keep spamming and various parts of Remote Desktop are broken.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 60%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
I agree. I've had these reg keys configured for a long time now. This Schannel error with state 10013 didn't start until I disabled SSL 3.0 using IIS Crypto (which simply uses MS's prescribed method for disabling SSL 3.0 through reg keys). Judging by the amount of errors in the log, it would seem that something really, really wants to use SSL.
UPDATE: To be clear, for anyone reading this far, I am NOT suggesting turning on SSL3.0 (or any other protocol other than TLS 1.2+)...just to get rid of Schannel errors. I'm just making the observation as to the culprit. I'll keep the Schannel error messages and sleep soundly at night knowing SSL3.0, TLS1.0 & 1.1 are disabled). :)
@Crystal-MSFT I think the forum post removed the "\" between Microsoft and .NETFramework. It did just now for me when I attempted to point it out.
It is good to try and remove the usage of older TLS protocols. I see a reply from Gerben here about removing SSH3, which is the protocol from before TLS 1.0.
Have a look at Kevins post about TLS 1.2 here: https://kevinholman.com/2018/05/06/implementing-tls-1-2-enforcement-with-scom/
and here is a page from the Msft docs site from a later date: https://learn.microsoft.com/en-us/system-center/scom/plan-security-tls12-config?view=sc-om-2022
These types or errors can be very frustrating.
In my case I was trying to outphase TLS 1.0 / 1.1 for Server 2016 running a Connection Broker. That is simply not possible: https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/rds-connection-broker-or-rdms-fails-caused-by-disabled-tls-10
It's Sept, 2022 and in just the last 10 months we've had two major vendors (MS 365 being one of them) move away from everything except TLS 1.2 & 1.3. I think it would be very difficult to implement TLS 1.1 or 1.0, and especially SSL today, and I'm definitely not suggesting to do that. It's funny how a lot of software still references all of this with "SSL" and that's been deprecated since 2015.
Thanks for the links. Your second link discusses reg keys that need changed. A program called IIS Crypto changes the first set of keys in this link (the Schannel) but it's important to know, for anyone reading this far, if you use IIS Crypto to disable these protocols, it currently doesn't hit the .NETFramework reg keys, also mentioned in @Bob Cornelissen 's second link. IIS Crypto has become popular in recent years for people wanting to enhance cybersecurity but I found I had to manually implement the .NETFramekwork keys to get our webserver to work properly after turning off these old protocols. I had to make entires for both v2.0.50727 and the one in the link above (v4.0.30319). Again, I only mention it because that's one of the reasons I'm here, and I have a feeling others using IIS Crypto might land here as well.
HTH