You noticed an issue while trying to open the "Certificate Management" (under SMP Console> Settings>All Settings> Notification Server) and/or "Cloud-enabled Management Agent IIS Website Settings" (under SMP Console> Notification Server> Cloud-Enabled Management) pages.

The NS logs shows errors like these:

Entry 1:

HTTP Request failed:
/Altiris/NS/Admin/Configuration/CertificateManagementPage.aspx?Url=http%3a%2f%2flocalhost%2faltiris%2fconsole%2ftree.aspx%3fViewGuid%3da57fb0e9-0676-4e00-929a-6bb37dc1f888%26%26ConsoleGuid%3d1b22db4e-a898-443f-9b99-855b1653d3f5&TreeGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&ParentGuid=00000000-0000-0000-0000-000000000000&ItemGuid=bff56118-7fb8-418b-b4b4-1a46f22c9d7c&ViewGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&ConsoleGuid=1b22db4e-a898-443f-9b99-855b1653d3f5

Unknown error (0x80005000)

Entry 2:

Failed to process web request.

Exception of type 'System.Web.HttpUnhandledException' was thrown.
[System.Web.HttpUnhandledException @ System.Web]
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at Altiris.NS.UI.Controls.PageCachePage.ProcessRequest(HttpContext context)
at Altiris.NS.UI.AltirisPage.ProcessRequest(HttpContext context)

Unknown error (0x80005000)

The following errors are also seen:

Entry 3:

NegotiateCertificateRequest.Process() failed to get certificate chain of agent web site.
Unknown error (0x80005000)

Entry 4:

Certificate generation failed with exception.
Cannot find object or property

Entry 5:

Failed to process master certificate loading.
Cannot find object or property

Entry 6:

Failed to get certificate private key property length.Failure code:-2146885628

When using SIM to Reconfigure NS Settings this error was returned:

Failed to load IIS WebSite server information
Unknown error (0x80005000)
[System.Runtime.InteropServices.COMException @ System.DirectoryServices]
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_IsContainer()
at System.DirectoryServices.DirectoryEntries.ChildEnumerator..ctor(DirectoryEntry container)
at Symantec.Installation.Model.NSSettingsManager.LoadLocalWebSiteInfo()

The Application event logs showed:

Log Name: Application
Source: ASP.NET 4.0.30319.0
Date: 6/26/2019 9:09:10 AM
Event ID: 1309
Task Category: Web Event
Level: Warning
Keywords: Classic
User: N/A
Computer: <MySMPserver>.<yourdomain>.com
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 6/26/2019 9:09:10 AM
Event time (UTC): 6/26/2019 1:09:10 PM
Event ID: a07b0f772c904289b676d764c0492389
Event sequence: 5551
Event occurrence: 6
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/1/ROOT/Altiris/NS-2-132059482067408367
Trust level: Full
Application Virtual Path: /Altiris/NS
Application Path: D:\Program Files\Altiris\Notification Server\Web\
Machine name: MySMPserver

Process information:
Process ID: 3596
Process name: w3wp.exe
Account name: IIS APPPOOL\SMP Server AppPool

Exception information:
Exception type: COMException
Exception message: Unknown error (0x80005000)
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Exists(String path)
at Altiris.NS.Security.Cryptography.CertificateManager.GetSiteHttpsCertificate(Int32 nDefSiteNumber, String sSiteRegValue, Boolean includePrivateKey)
at Altiris.NS.StandardItems.CertificateConfiguration.NSCertificateConfigurationItem.GetNSWebCertificateGuid()
at Altiris.NS.StandardItems.CertificateConfiguration.CertificateConfigurationManager.NSCertificateItemLoader.LoadAndRegisterItems()
at Altiris.NS.StandardItems.CertificateConfiguration.CertificateConfigurationManager.InitializeCertificateCache(Type type)
at Altiris.NS.StandardItems.CertificateConfiguration.CertificateConfigurationManager.LoadCertificatesByType(Type type, CertificateConsumer eConsumer, DataTable dt)
at Altiris.NS.StandardItems.CertificateConfiguration.CertificateConfigurationManager.LoadCertificates(CertificateConsumer eConsumer)
at Altiris.NS.UI.Admin.Configuration.CertificateManagementPage.LoadDataSource(CertificateConsumer eConsumer, CertificateStatus eStatus)
at Altiris.NS.UI.Admin.Configuration.CertificateManagementPage.Page_Load(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at Altiris.NS.UI.Controls.PageCachePage.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

Multiple errors referring to "Unknown error (0x80005000)"

ITMS 8.0 or later

Issues accessing or reading "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys". This is a Microsoft issue caused by having problems encrypting/decrypting.  IIS depends on this key for encryption/decryption of metabase keys. 

Since this is an issue with Microsoft's MachineKeys, the following steps are provided as best effort. We recommend contacting Microsoft Support if the mentioned steps doesn't solve the issue.

Try the following:

A) Give your user (In our case, the user should be the NS App Identity) Full Access to the following folder: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

Note: Make sure that the MachineKeys folder has Full Control for both Administrators and System. Also make sure that the “C23” key has "Administrators" and "System" Full Control permissions set on it.

We've found that in some occasions the permissions in the MachineKeys directory needed to have the service account (App Identity) added instead of just the administrators group:

1. 1. 1. Change security on directory:
         • C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
      2. Add your App Identity account, with the following minimum "Advanced" set of permissions:
         • Create files / write data
         • Create folders / append data
         • Write attributes
         • Write extended attributes
         • Delete
      3. After hitting apply, accept that 5 directories were "Access is denied", if any.

If providing Full Control permissions to your Application Identity account doesn't solve this problem, see if you have the following issue with messages about "The IIS Admin Service terminated with the following service-specific error: Invalid Signature" as mentioned in KB 173738. Also check if you have issues starting the ApplPools like mentioned in KB 172641 "Error: The worker process for application pool 'SMP Server AppPool' encountered an error 'Failed to decrypt attribute 'password' because the keyset does not exist".

B) If the steps suggested in step A above don't help, please review this Microsoft Article: Windows Troubleshooting: could not start the IIS Admin Service - error code -2146893818

Uninstall and then reinstall just the "IIS 6 Metabase Compatibility" Role Service should help you to solve some issues accessing to the private keys that our pages are trying to access by IIS:

1. 1. 1. Open "Server Manager" for your Windows Server
      2. Under Manage, select "Remove Roles and Features"
      3. Select "Server Roles" on the left tree
      4. Under "Roles", expand "Web Server (IIS)>"Management Tools">IIS 6 Management Compatibility
      5. uncheck "IIS 6 Metabase Compatibility". Follow the next steps provided by the UI.
      6. Reinstall "IIS 6 Metabase Compatibility" by using "Add Roles and Features" in "Server Manager"

"Application Pools fails to start. Unable to load SMP Console. Error: The worker process for application pool 'SMP Server AppPool' encountered an error 'Failed to decrypt attribute 'password' because the keyset does not exist" (KB 172641)

"MachineKeys folder is growing too large" (KB 212574)