This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Partially a continuation from https://forums.iis.net/t/1252746.aspx?Getting+hresult+0x8007054F+error+for+any+certificates
Now that the issue narrowed down, I though I'd put it someplace with a better chance of getting an actual bug report filed.
To summarize.
On Windows Server 2019, IIS v10.0, on the Default Web Site, on interface "BINDING : https *:443: "
Using TLS1.2 with an ECDSA521 SHA512 cert
The SSLDiag tool shows everything as valid for a certificate of 1.3.6.1.5.5.7.3.1 Server Authentication
The only error information I can get from SChannel is what's in it's error event. Here are the highlights (see more in linked topic)
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Schannel" Guid="{1f678132-5938-4686-9fdc-c8ff68f15c85}" />
<Correlation ActivityID="{51aa0bed-36e1-0001-4b0d-aa51e136d701}" />
<Channel>System</Channel>
<Computer>myserver</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="ErrorState">10018</Data>
</EventData>
</Event>
When turning on verbose logging in SChannel, trying to view informational messages seems to crash event viewer, with this trace:
at Microsoft.ManagementConsole.Internal.SnapInMessagePumpProxy.OnThreadException(Object sender, ThreadExceptionEventArgs e)
at System.Windows.Forms.Application.ThreadContext.OnThreadException(Exception t)
at System.Windows.Forms.Control.WndProcException(Exception e)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
at System.Windows.Forms.UnsafeNativeMethods.CallWindowProc(IntPtr wndProc, IntPtr hWnd, Int32 msg, IntPtr wParam, IntPtr lParam)
at System.Windows.Forms.NativeWindow.DefWndProc(Message& m)
at System.Windows.Forms.Control.WmMouseDown(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.TabControl.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
When trying to add the cert binding in the IIS bindings interface I get the following UI error prompt: An internal error occurred (Exception from HRESULT: 0x8007054F)
Here are the events that IIS Logs:
IIS-Configuration > Operational:
Changes have successfully been committed to 'MACHINE/WEBROOT/APPHOST'.
Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]/@sslFlags' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]/@bindingInformation' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]/@protocol' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
IIS-Configuration > Administrative:
Unable to find schema for config section 'system.serviceModel/tracking'. This section will be ignored.
Unable to find schema for config section 'system.serviceModel/client'. This section will be ignored.
Unable to find schema for config section 'system.serviceModel/extensions'. This section will be ignored.
Unable to find schema for config section 'system.xaml.hosting/httpHandlers'. This section will be ignored.
Unable to find schema for config section 'system.serviceModel/serviceHostingEnvironment'. This section will be ignored.
Unable to find schema for config section 'system.serviceModel/tracking'. This section will be ignored.
Unable to find schema for config section 'system.serviceModel/client'. This section will be ignored.
Unable to find schema for config section 'system.serviceModel/extensions'. This section will be ignored.
And the SSLDiag tool results:
Encryption test passed
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
Certificate is valid
System Time : Thursday, April 22, 2021 11:19:09 AM Eastern Standard Time
Processor Architecture : x64
OS : Microsoft Windows NT 6.2.9200.0
Microsoft Internet Information Services 10.0
SERVER SSL PROTOCOLS
PCT 1.0 : Disabled
SSL 2.0 : Disabled
SSL 3.0 : Disabled
TLS 1.0 : Disabled
SChannel EventLogging : 1 (hex)
-----
[W3SVC/1]
ServerComment : Default Web Site
ServerAutoStart : True
ServerState : Started
BINDING : http *:80:
BINDING : https *:443:
And as mentioned, all SChannel events become unreadable, so I can't get you any more SChannel events.
UPDATE:
I can now read the Schannel events, and right before the undefined error, SChannel logs something interesting:
The TLS server credential's private key has the following properties:
CSP name: Microsoft Software Key Storage Provider
CSP type: 0
Key name: te-!0021WebServer-b64b9b22-aa1a-4425-9f2e-902ae3c4cada
Key Type: N/A
Key Flags: 0x20
Seeing as it says Key Type: N/A, could that be the cause? Does SChannel not actually support ECDSA521?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 24%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
@Joshua Hemphill The problem cannot be confirmed based on these messages, can you provide more information about this issue?
@Sam Wu-MSFT I've added all available debugging data. If there's some way to retrieve the corrupted SChannel events, let me know.
@Joshua Hemphill The SChannel event becomes unreadable. It may be that schannel is corrupted. You can try the following steps to solve this problem. 1. Run cmd with admin access type cmd. 2. Type the following commands, regsvr32 schannel.dll /u, regsvr32 schannel.dll.
When the commands, I get an error:
RegSvr32
The module "schannel.dll" was loaded but the entry-point
DllUnregisterServer was not found.
Make sure that "schannel.dll" is a valid DLL or OCX file and
then try again.
I also ran DISM /restorehealth and now I can read the the SChannel events again.
The event right before the undefined error might be helpful, I've just added it to the main question.
@Joshua Hemphill It is also possible that SHA512 is disabled in Windows when you use TLS 1.2. more information you can refer to this link: SHA512 is disabled in Windows when you use TLS 1.2.
We've used IISCrypto to set all our Protocol, Algorithm, Cipher, and Hash settings.
SHA512 is enabled. I should also mention we're on Windows Server 2019, that link indicated it applies to older Windows Server versions. I'd assume it is already active in an up-to-date Windows Server 2019.
I've attached all our registry cryptography settings: 99165-disable-old-protocols-and-algs-make-all-explicit.txt
The same error you can use as a reference: hresult-0x8007054f-when-setting-application-pool-identity-to-a-custom-account.
So I should try deleting the machine keys and reinstalling IIS?
Hi @Joshua Hemphill You can try it, but be careful to back up your files.
It made no difference. Ran into the exact same error.
I created certificates using the the Legacy Cryptographic Provider and I can set up everything fine with that without errors, but as soon as I try to assign one using the newer cryptographic provider it still crashes.
Hi @Joshua Hemphill I suggest you use https://support.microsoft.com.
Unfortunately since we can use the less secure Legacy Cryptography Providers (which are only going to get harder to use with the deprecation of IE), the company I work for isn't willing to pay for the one-off support agreement that's required to contact anyone in support that will look at anything related to IIS/SChannel.
I wish there was a way to just submit a bug report, I could see the whole crashing and corrupting of SChannel being exploited in some sort of exploit some day.
Hi JoshuaHemphill, Did this link help you? internal-error-occurred-0x8007054f.
No, I've already ran DISM online repair several times, and reinstalled all services, to no avail.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 70%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
I know that it is an old thread but someone can find it useful when finds this searching for an answer.
I had the same error when tried to bind an ECDH_P521 certificate to an IIS site.
I changed the cert to an ECDH_P384 and it works!