Site icon port135.com

Schannel – The internal error state is 10013 (Solved)

Ned Sahin

You may run into “Schannel – The internal error state is 10013” message if your website fails establishing TLS connection. That is to say, here is the error message you will see in Event Viewer:

Info – Schannel – Creating an SSL server credential.

Error – Schannel – A fatal error occurred while creating an SSL client credential. The internal error state is 10013

This error is logged when there are Schannel Security Service Provider (SSP) related issues. For example, web server might be trying to use an encryption algorithm or protocol that were actually disabled.

Similarly, incompatible machine keys or machine keys with insufficient file permissions may be other possible reasons of “The internal error state is 10013” error message.

Looking for a way to fix “SChannel error state is 960”? Check this post out.

How to solve “The internal error state is 10013” issue

Follow the steps below to solve this issue. If no more 10013 errors logged after performing these instructions, please make sure that all other applications and services you use in the server are working as expected.

Correct file permissions

Correct the permissions on the c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder:

  1. Everyone Access: Special Applies to: This folder only
  2. Network Service Access: Read & Execute Applies to: This folder, subfolders and files
  3. Administrators Access: Full Control Applies to: This folder, subfolder and files
  4. System Access: Full control Applies to: This folder, subfolder and Files
  5. IUSR Access: Full Control Applies to: This folder, subfolder and files

After these changes, restart the server. The 10013 errors should dissappear. However, If you still see “Schannel 10013” errors in EventViewer, try the next solution (keep the changes you made in Step 1).

Enable “FIPS compliant algorithms for encryption”

Important!!! Even if this setting solves the problem for your application, it may break other applications in the same server! Please test all applications after performing these steps. Enabling “FIPS compliant algorithms” means disabling SSL 2.0/3.0 and forcing TLS 1.0+. A good reading about this setting: Why You Shouldn’t Enable “FIPS-compliant” Encryption on Windows

  1. Go to “Control Panel“.
  2. Click “Administrative Tools
  3. Double click “Local Security Policy
  4. In “Local Security Settings“, expand “Local Policies“. Then click “Security Options
  5. Double click “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” 
  6. Select “Enabled
  7. Click “OK
  8. Run gpupdate /force

In conclusion, the two methods above should solve the issue. As mentioned above, please make sure all services work expected after these changes.

Source

Exit mobile version