Schannel – The internal error state is 10013 (Solved)

You may run into “Schannel – The internal error state is 10013” message if your website fails establishing TLS connection. That is to say, here is the error message you will see in Event Viewer:

Info – Schannel – Creating an SSL server credential.

Error – Schannel – A fatal error occurred while creating an SSL client credential. The internal error state is 10013

This error is logged when there are Schannel Security Service Provider (SSP) related issues. For example, web server might be trying to use an encryption algorithm or protocol that were actually disabled.

Similarly, incompatible machine keys or machine keys with insufficient file permissions may be other possible reasons of “The internal error state is 10013” error message.

Looking for a way to fix “SChannel error state is 960”? Check this post out.

How to solve “The internal error state is 10013” issue

Follow the steps below to solve this issue. If no more 10013 errors logged after performing these instructions, please make sure that all other applications and services you use in the server are working as expected.

Correct file permissions

Correct the permissions on the c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder:

  1. Everyone Access: Special Applies to: This folder only
  2. Network Service Access: Read & Execute Applies to: This folder, subfolders and files
  3. Administrators Access: Full Control Applies to: This folder, subfolder and files
  4. System Access: Full control Applies to: This folder, subfolder and Files
  5. IUSR Access: Full Control Applies to: This folder, subfolder and files
The internal error state is 10013

After these changes, restart the server. The 10013 errors should dissappear. However, If you still see “Schannel 10013” errors in EventViewer, try the next solution (keep the changes you made in Step 1).

Enable “FIPS compliant algorithms for encryption”

Important!!! Even if this setting solves the problem for your application, it may break other applications in the same server! Please test all applications after performing these steps. Enabling “FIPS compliant algorithms” means disabling SSL 2.0/3.0 and forcing TLS 1.0+. A good reading about this setting: Why You Shouldn’t Enable “FIPS-compliant” Encryption on Windows

  1. Go to “Control Panel“.
  2. Click “Administrative Tools
  3. Double click “Local Security Policy
  4. In “Local Security Settings“, expand “Local Policies“. Then click “Security Options
  5. Double click “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” 
  6. Select “Enabled
  7. Click “OK
  8. Run gpupdate /force
The internal error state is 10013

In conclusion, the two methods above should solve the issue. As mentioned above, please make sure all services work expected after these changes.

Source

8 thoughts on “Schannel – The internal error state is 10013 (Solved)”

  1. This is not a great solution. The first allows anyone on the machine to read the private keys of any machine certificates. The second enables FIPS compliant algorithms which are not recommended for general use. They have known compatibility issues.

    Reply
    • Elizabeth, this is applied to the folder, not the keys. The Everyone –> Special permissions are actually the default. You can see the files exist, but have no rights to the items in the folder.

      Reply
  2. I’m having same issue here; AND you left out a HUGE detail!
    WHICH ‘special’ access? Special is not ‘one thing.’ you have to “Show Advanced” under Security tab on the folder, and THEN tell us (the readers), EXACTLY “which” Special Access settings need to be made for the “Everyone group;” i.e., which check-boxes are checked in advanced security. “Special Access” can mean, literally, a MILLION combinations of those check-boxes! Okay, not a million, but you get the point.

    “Everyone Access: Special Applies to: This folder only” <– DETAILS, please.

    Reply
  3. Everyone Special is as follows for that folder:
    In Advanced permissions,
    Boxes 3-7 all are checked in left column
    Boxes 1, 2 & 5 are checked in right column.
    Currently on one of my servers, Administrators also have Full permissions but it is for “This folder only”, fyi.
    And those are the ONLY 2 permissions.

    I would also question giving IUSR ‘FULL’ control all the way down the chain – is that documented by Microsoft somewhere? Thanks!

    Reply

Leave a Comment