When try to change application pool identity for a sharepoint iis site getting “keyset does not exists” error


One day you noticed that your application pools getting stopped and when try to run again it is stopping again and after a while you suspected that the problem may be caused by identity account corruption and decided that change application pool identity or reset current identity’s password but then upps your getting fallowing error.
“Keyset does not exists (Exception from HRESULT: 0x80090016)

If you get this error first you have to check your MACHINE Keys.By the way i have to say the machine key not only used by IIS or your web sites. So many process can use machine keys to encrypt or decrypt secures like strings,passwords,connection strings etc. As you noticed if some how your machine keys are changed or deleted you may have a big problem if you dont have any proper backup.

but how could that happens ? There is so many possibility here , Malwares,Group Policies,Permission issues, User mistakes , Cleanup programs, misconfigrurations.
So you may first check the fallowing
http://support.microsoft.com/kb/977754

The LOCAL SERVICE account is the service account of the IIS Web Management Service (also known as WMSvc).  This problem occurs because the LOCAL SERVICE account does not have Read access on the iisWasKey key that is located in the following folder: %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys
The following is the file name of the iisWasKey key: 76944fb33636aeddb9590521c2e8815a_GUID
To resolve this problem, follow these steps:

  1. Locate the following folder:
    %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys
  2. Right-click the following file, and then click Properties:
    76944fb33636aeddb9590521c2e8815a_GUID
  3. Click the Security tab, and then click Edit. If you are asked whether you want to continue the operation, click Continue. Then, the list of group names and user names that have access to this key file appears in the Permissions dialog box.
  4. Click Add. Then, the Select Users, Computers, Service Accounts, or Groups dialog box appears.
  5. Type  LOCAL SERVICE, and then click Check Names.
  6. Click OK.
  7. In the Group or user names list, click LOCAL SERVICE. Make sure that the Read check box is checked in the Permissions for LOCAL SERVICE list.
  8. Click OK.

Compare HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid for records in
%ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys folder .

So what if you have missing keys:
There is two option.
1) Restore missing keys from newest good backup.
2) I am sorry to say that but second option is Total recovery:
You need to reinstall  SharePoint or IIS even may need all machine. And after do that you must reset all your sharepoint managed accounts’s password.

Machine Keys are important for security and always consider to save them.If you are suspecting that your machine keys stolen you may need to reset your all passwords not for sharepoint all accounts for that machine in use and dont forget machine keys not use only by IIS.

if you think that the issue related a permission issue you may use “Process Monitor” to find out which process can not reach your data.
http://technet.microsoft.com/en-us/sysinternals/bb896645

 

Advertisements

About bpostaci
Escalation Engineer in Microsoft.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: