IIS6 / SSL / Certificate / SSLDiag error

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Greg williams (Gregwilliams_at_discussions.microsoft.com)
Date: 01/20/05 

Date: Thu, 20 Jan 2005 09:03:01 -0800

Hey all, here is the question of the day!

We have 2 webservers. We setup SSL encyption about 2 months ago but I was
not here to test it out. The certificates seem to be installed okay.
However, when you type https://localhost/test.aspx you get "Page can not be
displayed". However you take the "s" off and you get the page just fine. I
run SSLDiag's and get this error, and it is the only error:

#WARNING: You have a private key that corresponds to this certificate but
CryptAcquireCertificatePrivateKey failed'.

I have been doing some research and someone suggested to try this to fix the
problem. This is my production environment, so I need a reason why this is
going to fix the problem and what this dependancy allows what service to
access what? Basically, when I make this change and it fixes it, why did
this happen? Also if there is another fix with this problem, please advise!

-----------------------

To resolve this issue try following steps.

1.Set the correct permission for Machinekey folder C:\Documents and
Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

2.Add administrator and system Full Control Permissions.

3.Restart IIS

HTH,

Thanks
Ganesh Anekar
Microsoft Developer Support
Internet Information Server

And then the repsonse....

Just one hint.
You should check 'Replace permission entries on all chield objects with
entries shown here that apply to child objects' check box on the 'Advanced
Security settings' dialog.
If this check box wasn't selected while applying the new security
permissions, the following errors will appear in event log during first
access of SSLed site:
- in System log:
A fatal error occurred when attempting to access the SSL server credential
private key. The error code returned from the cryptographic module is
0x80090016.
- in Security log there will be a lot of 'Failed Audit' events for SYSTEM
account while accessing files inside MachineKeys folder.

Thanks,
Vlad

-----------------------

Relevant Pages

  • IIS6 / SSL / Certificate / SSLDiag error
    ... We setup SSL encyption about 2 months ago but I was ... I have been doing some research and someone suggested to try this to fix the ... You should check 'Replace permission entries on all chield objects with ... Security settings' dialog. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Server Reports empty
    ... Security Exception ... To grant this application the required permission ... The server will start to collect new counter value from ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Code Access Security, Evidence Based Security, Code Access Permission, Role Based Permission, et
    ... confused on the relationship between Code Access Security, Evidence Based ... Security, Code Access Permission, Role Based Permission, Declarative and ... user running it (if this is true, then only the Identity Permission Code ...
    (microsoft.public.dotnet.security)
  • RE: Do all three permission classes (Identity Permission, Code Access Permission and Role Based Perm
    ... That is correct -- the inputs to CAS for each assembly are that assembly's evidence and the current security policy. ... classify them as a code access permission and an identity permission, since StrongNameIdentityPermission is also a code access security ...
    (microsoft.public.dotnet.security)
  • [NT] Windows 2000 Weak Default Permission on System Partitions
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The system partition by default has Everyone/Full Control access ... permission settings of Everyone/Full Control or Authenticated Users/Full ...
    (Securiteam)