ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Application Pools fails to start. Unable to load SMP Console. Error: The worker process for application pool 'SMP Server AppPool' encountered an error 'Failed to decrypt attribute 'password' because the keyset does not exist

book

Article ID: 172641

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

The customer is trying to access the SMP Console but he just get a HTTP 503 error message. While looking at the Application Pools, the Default AppPool, SMP Server AppPool and Symantec Agent AppPool are in a stop state. Looking at the Application and System Event logs, the following errors were present:

windows System logs errors:
The IIS Admin Service service terminated with the following service-specific error: 
Invalid Signature.

A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Windows Application logs errors:

The worker process for application pool 'DefaultAppPool' encountered an error 'Failed to decrypt attribute 'password' because the keyset does not exist
' trying to read configuration data from file '\\?\
C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config', line number '229'. The data field contains the error code

The worker process for application pool 'Symantec Agent AppPool' encountered an error 'Failed to decrypt attribute 'password' because the keyset does not exist
' trying to read configuration data from file '\\?\
C:\inetpub\temp\apppools\Symantec Agent AppPool\Symantec Agent AppPool.config', line number '229'. The data field contains the error code

The worker process for application pool 'SMP Server AppPool' encountered an error 'Failed to decrypt attribute 'password' because the keyset does not exist
' trying to read configuration data from file '\\?\C:\inetpub\temp\apppools\SMP Server AppPool\SMP Server AppPool.config', line number '229'. The data field contains the error code.

 

If we inspect the mentioned line number (in this example line number '229'), the line looks like this one:

<virtualDirectory path="/pkggroup_ujx3culrnnxtx7hhefhbc565rdl2uymt" physicalPath="\\MyPackagesRepository\Apps$" userName="epm\Administrator" password="[enc:AesProvider:zmGHs+r0Mn2CRm7gWNJl8WzymQbcj0K9CRG1LtyKJVs=:enc]" />



 

Cause

According to the error message, IIS can't decrypt the provided password in that affected line:
password="[enc:AesProvider:zmGHs+r0Mn2CRm7gWNJl8WzymQbcj0K9CRG1LtyKJVs=:enc]"

In this particular example the issue was caused because IIS_IUSRS group didn't have access to the MachineKeys in order to decrypt the password.

Environment

ITMS 8.0, 8.1, 8.5, 8.6

Resolution

This usually means there's a problem using the MachineKeys to decrypt encrypted data in the config. This can be caused by file permissions on the MachineKeys directory.

To resolve,

  1. Ensure IIS_IUSRS group has Read/Browse access on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, confirm permissions has propagated to key files correctly.
  2. After that, restart IIS (by running iisreset from the command prompt)

Additional Information

175310 "Unable to open Certificate Management page: Unknown error (0x80005000)"

212574 "MachineKeys folder is growing too large"