Schannel Event ID 36871 TLS Error
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 98%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
JoshuaD13
51
Reputation points
Hello all,
I have a Windows Server 2016 that host MDT, and its been getting flooded with Schannel Error every few seconds. Error description: "A fatal error occurred while creating a TLS client credential. The internal error state is 10011."
Currently I only have TLS 1.2 enabled for server and client (verified via IIS Crypto & registry keys), since TLS 1.0/1.1 are not recommended anymore.
So far I have tried to allow .NET to use TLS 1.2, and allow .NET to use the OS configuration by setting these keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v2.0.50727
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client
I've also tried setting these registry keys to configure the Schannel protocols:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls#schusestrongcrypto
Also tried enabling TLS 1.2 by default for WinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
DefaultSecureProtocols=dword:800
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
DefaultSecureProtocols=dword:800
I have found in Event Viewer that the ActivityID of this error is associated with Directory-Services-SAM. Currently have .NET Framework 4.6.2 installed.
Windows for business | Windows Client for IT Pros | Networking | Network connectivity and file sharing
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 83%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYE%3C/text%3E%3C/svg%3E)
Yusmary Elena Galeno Suarez 5 Reputation points2023-07-28T14:44:33.1933333+00:00 Hi, did you find any solution to this issue?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 14.000000000000002%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPN%3C/text%3E%3C/svg%3E)
Pavel Nosek 0 Reputation points2023-08-25T07:47:03.6666667+00:00 Same here.. 36871 10011 maybe for all apps.. all protocols enabled in inetcpl.. no solution found yet.. system log is full of this
-
JoshuaD13 51 Reputation points
2023-08-25T15:51:30.4733333+00:00 No solution was found, please let me know if you guys figure anything out. Apologies.
Sign in to comment
Sign in to answer