Share via

A fatal error occurred while creating a TLS client credential. The internal error state is 10011.

A.Elrayes 186 Reputation points
2025-02-25T10:20:59.13+00:00

Hello Team,

We have 2 Exchange servers 2019 on-prem, we noticed multiple errors in the event viewer with ID "36871" and the description "A fatal error occurred while creating a TLS client credential. The internal error state is 10011."

Error in XML:

  <Provider Name="Schannel" Guid="{1f678132-5938-4686-9fdc-c8ff68f15c85}" />

  <EventID>36871</EventID>

  <Version>0</Version>

  <Level>2</Level>

  <Task>0</Task>

  <Opcode>0</Opcode>

  <Keywords>0x8000000000000000</Keywords>

  <TimeCreated SystemTime="2025-03-04T12:31:55.033113100Z" />

  <EventRecordID>3222985</EventRecordID>

  <Correlation ActivityID="{815eb6d4-8446-0019-94c0-5e814684db01}" />

  <Execution ProcessID="1680" ThreadID="20496" />

  <Channel>System</Channel>

  <Computer>exchange server</Computer>

  <Security UserID="S-1-5-18" />

  </System>

  • <EventData>

  <Data Name="Type">client</Data>

  <Data Name="ErrorState">10011</Data>

  </EventData>

  </Event>

The TLS version is 1.2 enabled and the older version is disabled.

What is the root cause of this error?

Thanks,

Alaa Elrayes

Exchange Exchange Server Management

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-03-04T05:40:33.13+00:00

    Hello,

    Thank you for posting in Q&A forum.

    This error occurs when there is an issue with the TLS (Transport Layer Security) configuration. Common reasons include:

    1. Disabled or misconfigured TLS protocols – The system might be trying to use a TLS version that is disabled.
    2. Group Policy settings blocking certain encryption protocols – A policy may be restricting TLS usage.

    You can manually check and enable TLS 1.2 is enabled by checking the Registry, Group Policy and Cryptographic Services

    Registry

    1. Open Registry Editor ().regedit.exe
    2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
    3. If the key does not exist, then it is not enabled.TLS 1.2
    4. If the key is there, check for a subkey called , and check in there for a DWORD (32-bit) Value named and ensure it is set to 1ClientEnabled

    Note If you modify the registry incorrectly, you can cause serious problems. Therefore, follow these steps carefully. For additional protection, back up the registry before you modify it. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.

    Check Group Policy for TLS Restrictions

    1. Open Local Group Policy Editor ().gpedit.msc
    2. Navigate to: Computer Configuration > Administrative Templates > Network > SSL Configuration Settings
    3. Check if any policies are restricting TLS versions.
    4. Ensure System cryptography: Use FIPS compliant algorithms is Disabled under: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

    Ensure Cryptographic Services Are Running

    1. Open Services ().services.msc
    2. Find Cryptographic Services.
    3. Ensure it is set to Automatic and running.

    I hope the information above is helpful.

    Best regards

    Zunhui

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.