Share via


SSL stops working in IIS7

Thanks to Robert Patrick for submitting these issues

There have been some issues recently where users complain of SSL connections suddenly no longer working with IIS7. Users can connect to IIS7 websites over https://, but browsing to https:// fails with the typical “Cannot find server or DNS error” message in the browser.

The first issue appears after configuring SSL bindings in IIS, and then rebooting the server (or restarting all of the IIS associated services). Although https:// connections initially work immediately after configuring SSL , after the reboot is complete and a user tries browsing to https:// again they are presented with the error page mentioned above. Event log entries similar to the following will be seen in the event log:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 1/7/2008 2:31:28 PM
Event ID: 5061
Task Category: System Integrity
Level: Information
Keywords: Audit Failure
User: N/A
Computer: IISServer
Description:
Cryptographic operation.

Log Name: System
Source: Schannel
Date: 1/7/2008 2:31:28 PM
Event ID: 36870
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: IISServer
Description:
A fatal error occurred when attempting to access the SSL server credential private
key. The error code returned from the cryptographic module is 0x80090016.

Note the Return Code of 0x80090016. Details of this error are as follows:

Error Result : 0x80090016 ( -2146893802 )

ID Defined as : NTE_BAD_KEYSET

Error Type : OLE HRESULT Error

Facility : FACILITY_SSPI 0x00000009 ( 9 )

Severity : SEVERITY_ERROR 0x00000001 ( 1 )

Code : 0x00000016 ( 22 )

Source Error file : Winerror.h

Message Text : Keyset does not exist

The problem occurs because the server certificate that IIS is using for the SSL connection was initially installed into the User store and then moved into the Local Machine store by drag-and-dropping it in the Certificates MMC snap-in. During the drag-and-drop process, the private key is not moved from the User to the Local Machine store, even though the drag-and-drop operation appears to be successful.

There are a few ways to work around this behavior. The first option is probably best: install the certificate that IIS will use for server SSL encryption in the Local Machine store to begin with. If for some reason that didn’t happen, the next option is to move the certificate from the User to the Local Machine store by exporting and then importing it, instead of drag-and-drop in the Certificates snap-in. The final option is probably the easiest. After the machine is rebooted, go to the IIS Manager and bring up the Bindings… window for the website in question. Then, select “https”, click on “Edit” then click “Ok” without making any changes to the settings. After doing this, browsing to https:// should now be successful.

Another issue that is being seen occurs due to invalid certificate hash data being present in the IIS configuration file. In this scenario, when one of the IIS services that depend on the ABO mapper gets restarted, https:// connections will no longer work. To reproduce the problem, try adding this line to the <CustomMetadata> section of your applicationhost.config file:

<key path="LM/W3SVC/1">

                <property id="5506" dataType="Binary" userType="1" attributes="None" value="442jqCFFZ77jBhZ7QYHKXuK9drc=" />

      </key>

Next, restart one of the IIS services that depends on the ABO mapper. When the service starts up, the ABO mapper attempts to map the entire configuration tree and will therefore try to load this section and apply its settings. This particular setting is a certificate hash. The ABOMapper deletes the existing SSL mapping with http.sys, then tries to create a new one using this hash value. Since the hash value is invalid, SSL fails and error 0x80092004 gets returned from Schannel. The details of 0x80092004 are as follows:

Error Result : 0x80092004 ( -2146885628 )

ID Defined as : CRYPT_E_NOT_FOUND

Error Type : OLE HRESULT Error

Facility : FACILITY_SSPI 0x00000009 ( 9 )

Severity : SEVERITY_ERROR 0x00000001 ( 1 )

Code : 0x00002004 ( 8196 )

Source Error file : Winerror.h

Message Text : Cannot find object or property.

To avoid this situation, ensure that the certificate hash value(s) in the IIS configuration file are valid.

Comments

  • Anonymous
    May 02, 2009
    This one-of-a-kind SDK opens the door to a number of exciting possibilities:    * Parental control: Filter SSL data based on keywords - unlike current SSL filtering, which is based on IPs.    * Traffic control: Forward data to any proxy, local or remote.    * Spam filtering: Filter encrypted Outlook mail sessions.    * Traffic monitoring: Track surfing activities containing encrypted data (Current tracking products can only report IPs.)    * Stream sniffing: Sniff encrypted network activity.

  • Anonymous
    October 27, 2010
    I've got the same issue and fixed it the same way as your blog describs it but the description of the error in the event was different so I thought about documenting it: Log Name:      System Source:        Schannel Date:          10/10/2010 10:18:49 PM Event ID:      36870 Task Category: None Level:         Error Keywords:       User:          SYSTEM Computer:     ComputerName Description: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.