question

JoshuaD13-9947 avatar image
0 Votes"
JoshuaD13-9947 asked

Schannel Event ID 36871 TLS Error

Hello all,
I have a Windows Server 2016 that host MDT, and its been getting flooded with Schannel Error every few seconds. Error description: "A fatal error occurred while creating a TLS client credential. The internal error state is 10011."
Currently I only have TLS 1.2 enabled for server and client (verified via IIS Crypto & registry keys), since TLS 1.0/1.1 are not recommended anymore.

So far I have tried to allow .NET to use TLS 1.2, and allow .NET to use the OS configuration by setting these keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v2.0.50727
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client


I've also tried setting these registry keys to configure the Schannel protocols:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#schusestrongcrypto

Also tried enabling TLS 1.2 by default for WinHttp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
DefaultSecureProtocols=dword:800

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
DefaultSecureProtocols=dword:800

https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392

I have found in Event Viewer that the ActivityID of this error is associated with Directory-Services-SAM. Currently have .NET Framework 4.6.2 installed.

windows-serverwindows-10-networkwindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers