Home/ Questions/Q 2990
Alex Hales
  • 0
Teacher
Asked: 2022-06-01T22:33:59+00:00

Windows Server Flooding with Schannel Event ID 36871 TLS Error

  • 0

[ad_1]

I have a Windows Server 2016 that host MDT, and its been getting flooded with Schannel Error every few seconds. Error description: “A fatal error occurred while creating a TLS client credential. The internal error state is 10011.”
Currently I only have TLS 1.2 enabled for server and client (verified via IIS Crypto & registry keys), since TLS 1.0/1.1 are not recommended anymore.

So far I have tried to allow .NET to use TLS 1.2, and allow .NET to use the OS configuration by setting these keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v2.0.50727
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client

I’ve also tried setting these registry keys to configure the Schannel protocols:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#schusestrongcrypto

Also tried enabling TLS 1.2 by default for WinHttp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
DefaultSecureProtocols=dword:800

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
DefaultSecureProtocols=dword:800

https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392

I have found in Event Viewer that the ActivityID of this error is associated with Directory-Services-SAM. Currently have .NET Framework 4.6.2 installed.

[ad_2]

Share
Leave an answer

Leave an answer

Browse

Stats

  • Questions : 43k