Server 2019 - Missing Cryptographic Service Providers (CSP)

Question

Had some new 2019 servers built recently 1 of which has a problem.

All servers are in same OU, share same GPO's, built from same template and have same patch level.

Problematic server should have ~14 Cryptographic Service Providers like the others but only shows 4.

This means that it isn't able to import the private keys for certificates to the right store and thus can't place the private key into c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys but certificate itself does end up in the machine's personal store saying it has a private key.

The CSP's available when I run certutil.exe -csplist are -

Microsoft Software Key Storage Provider

Microsoft Passport Key Storage Provider

Microsoft Platform Crypto Provider

Microsoft Smart Card Key Storage Provider

The missing CSP's are -

Microsoft Base Cryptographic Provider v1.0

Microsoft Base DSS and Diffie-Hellman Cryptographic Provider

Microsoft Base DSS Cryptographic Provider

Microsoft Base Smart Card Crypto Provider

Microsoft DH SChannel Cryptographic Provider

Microsoft Enhanced Cryptographic Provider v1.0

Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider

Microsoft Enhanced RSA and AES Cryptographic Provider

Microsoft RSA SChannel Cryptographic Provider

Microsoft Strong Cryptographic Provider

I've compared the registries between working and non-working as much as I can and see no differences.

e.g. HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider is the same with the 10 missing providers including the Microsoft RSA SChannel Cryptographic Provider which is the one I actually need.

Provider Types keys also match.

I've checked for the presence of the required DLL's such as rsaenh.dll and also run DISM.exe /Online /Cleanup-image /Restorehealth and SFC /Scannow with no issues found.

Anything I can do short of a rebuild? (I have to get another team to do it and they have a long lead time)

I'm guessing it is likely to be some sort of registry issue but can't find out where.

Thanks.

Answer 1

Hi NeillT,

Thank you for posting in the Microsoft Community Forums.

Make sure that all servers have the same GPO applied correctly and that there are no missed or misapplied GPOs.

Pay special attention to GPO settings related to encryption, certificate storage, or security

Crypto service providers may be missing.

You can try reinstalling or updating the relevant encryption software or components.

Check your server's system logs and security logs for errors or warnings related to encryption or certificates.

If the certificate itself appears in personal storage and shows that you have the private key, but you can't import it to the C drive, it may be due to a permission issue or a disk issue.

Make sure you have enough permissions to access the C drive and that the disk is not buggy or corrupted.

Try using a different user account or administrator account to import the private key and check if you are experiencing the same issue.

While the certificate appears in personal storage, there may be storage access or configuration issues.

Check access to the certificate store to ensure that only authorized users can access and modify the certificate.

Try recreating or repairing the certificate in the certificate store to ensure that it is properly configured and ready to use.

Check and apply any latest system patches and updates related to encryption or certificates.

Sometimes, hardware issues or driver incompatibilities can also cause encryption or certificate issues.

Check your server's hardware and drivers to make sure they are up-to-date and compatible with your operating system and encryption software.

Best regards

Neuvi Jiang

Answer 2

Hi Neuvi,

It's a common GPO set between the working and non-working servers, if it wasn't there I wouldn't be able to log on due to the permissions model.

Patches are all the same.

All built from same image.

Local admins have write rights to c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, and system which the App Pool is running has read rights. But academic anyway since the key hasn't been placed there.

I think because the CSP is missing Windows has shoved it into the Software Key Storage Provider which is incorrect. i.e. There is a key there which is why it's saying so in Cert Mgr. but it's not actually usable since it won't be able to open it.

Nothing in event logs apart from ASP.Net which says it can't access the private key.

If there's any way to force Windows to re-enable the CSP's I'd love to know how to do it. I've done vast amounts of web searching and haven't found anything relevant. Plenty of stuff saying you can say to certutil to import to a particular CSP but of course that CSP has to actually exist.

Answer 3

Hi NeillT,

Have a nice day!

In cases where some specific CSPs are missing, it may indeed be necessary to reinstall the entire CSP-related components. For built-in CSPs, you can try to accomplish this by repairing the Windows installation or reinstalling the relevant components. Make sure that Windows Server 2019 has been updated to the latest version and that all necessary patches and updates are installed.

Best regards

Neuvi Jiang