Confirmed: re-enabling SSLv3.0 in IISCrypto cleared up the SChannel error - which still seems to have no impact on my system at all. Ah the exercise of irrelevancy.
Event ID 36871 - Repeating TLS Error 10013
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
Each day shortly after logon, my windows 10 log fills with numerous copies of SChannel Error 36871:
"A fatal error occurred while creating a TLS client credential. The internal error state is 10013."
I do not see any symptoms of this error that I recognize as such - failed secure connections etc.
The error occurs both before and after domain connectivity is established - as indicated by NtpClient.
Despite the error being "fatal", it repeats 2-4 times, followed by an increasing pause before repeating again.
My question is, first and foremost, what does internal error state 10013 indicate?
Windows for home | Windows 10 | Performance and system failures
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
{count} votes
Answer accepted by question author
-
Anonymous
2018-03-23T18:13:23+00:00
3 additional answers
Sort by: Most helpful
-
Anonymous
2018-03-02T16:42:00+00:00 Technet thread on the same error for SSL (https://social.technet.microsoft.com/Forums/ie/en-US/aaced205-b0ec-4874-b440-8075dd74d8df/a-fatal-error-occurred-while-creating-an-ssl-client-credential-the-internal-error-state-is-10013?forum=exchangesvradmin) suggested 2 solutions:
- FIPs only cryptography - set in security policy
- %ProgramData%\Microsoft\Crypto\RSA\MachineKeys file permissions
I didn't think that a policy change should be needed to fix the error, so I looked into option 2 & found that folder/file permissions are nuts at that path: everything from Domain Admin doesn't even have the right to read permissions down to one file that had everyone full control... I chose the middle ground & granted Administrators & Network Service read access & SYSTEM Full Control.
Ideally, in a few days I will get back on & confirm whether that had any effect.
-
Anonymous
2018-03-07T18:37:50+00:00 Ideally, in a few days I will get back on & confirm whether that had any effect.
Still erroring.
On this technet thread: https://social.technet.microsoft.com/Forums/ie/en-US/aaced205-b0ec-4874-b440-8075dd74d8df/a-fatal-error-occurred-while-creating-an-ssl-client-credential-the-internal-error-state-is-10013?forum=exchangesvradmin
Cody Bilbro suggested IISCrypto server defaults. I will do that for now & if it resolves the error, i will start locking it down - server defaults is not the most secure set of options.
Again, ideally, in a few days, I will get back on this thread and report one way or the other.
-
Anonymous
2018-03-16T17:43:08+00:00 Preliminary findings are that if SSLv3.0 is disabled, SChannel errors occur. Otherwise, IISCrypto best practices appear to be good.
To clarify, at this time, I recommend setting IISCrypto to best practice, then enabling SSL v3.0. Unless you prefer to let SChannel error... I don't know for sure what that failure is related to yet.
I will check in again just to confirm.