search cancel

Unable to open Certificate Management page: Unknown error (0x80005000)

book

Article ID: 175310

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

The customer reported an issue while trying to the "Certificate Management" (under SMP Console> Settings>All Settings> Notification Server) and/or "Cloud-enabled Management Agent IIS Website Settings" (under SMP Console> Notification Server> Cloud-Enabled Management) pages.
The NS logs showed errors like these ones:

Entry 1:
HTTP Request failed:
/Altiris/NS/Admin/Configuration/CertificateManagementPage.aspx?Url=http%3a%2f%2flocalhost%2faltiris%2fconsole%2ftree.aspx%3fViewGuid%3da57fb0e9-0676-4e00-929a-6bb37dc1f888%26%26ConsoleGuid%3d1b22db4e-a898-443f-9b99-855b1653d3f5&TreeGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&ParentGuid=00000000-0000-0000-0000-000000000000&ItemGuid=bff56118-7fb8-418b-b4b4-1a46f22c9d7c&ViewGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&ConsoleGuid=1b22db4e-a898-443f-9b99-855b1653d3f5

Unknown error (0x80005000)

Entry 2:
Failed to process web request.

Exception of type 'System.Web.HttpUnhandledException' was thrown.
[System.Web.HttpUnhandledException @ System.Web]
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at Altiris.NS.UI.Controls.PageCachePage.ProcessRequest(HttpContext context)
at Altiris.NS.UI.AltirisPage.ProcessRequest(HttpContext context)

Unknown error (0x80005000)


As well we saw errors around the same "Unknown error (0x80005000)":

Entry 3:

NegotiateCertificateRequest.Process() failed to get certificate chaing of agent web site.
Unknown error (0x80005000)


OR like:

Entry 4:

Cetificate generation failed with exception.

Cannot find object or property

Entry 5:

Failed to process master certificate loading.

Cannot find object or property

Entry 6:

Failed to get certificate private key property length.Failure code:-2146885628


 

Even when we tried to Reconfigure NS Settings within SIM, we got this error:

Failed to load IIS WebSite server information

Unknown error (0x80005000)
[System.Runtime.InteropServices.COMException @ System.DirectoryServices]
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_IsContainer()
at System.DirectoryServices.DirectoryEntries.ChildEnumerator..ctor(DirectoryEntry container)
at Symantec.Installation.Model.NSSettingsManager.LoadLocalWebSiteInfo()


 

The Application event logs showed:

Log Name: Application
Source: ASP.NET 4.0.30319.0
Date: 6/26/2019 9:09:10 AM
Event ID: 1309
Task Category: Web Event
Level: Warning
Keywords: Classic
User: N/A
Computer: MySMPserver.domain.com
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 6/26/2019 9:09:10 AM
Event time (UTC): 6/26/2019 1:09:10 PM
Event ID: a07b0f772c904289b676d764c0492389
Event sequence: 5551
Event occurrence: 6
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/1/ROOT/Altiris/NS-2-132059482067408367
Trust level: Full
Application Virtual Path: /Altiris/NS
Application Path: D:\Program Files\Altiris\Notification Server\Web\
Machine name: MySMPserver

Process information:
Process ID: 3596
Process name: w3wp.exe
Account name: IIS APPPOOL\SMP Server AppPool

Exception information:
Exception type: COMException
Exception message:
Unknown error (0x80005000)
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Exists(String path)
at Altiris.NS.Security.Cryptography.CertificateManager.GetSiteHttpsCertificate(Int32 nDefSiteNumber, String sSiteRegValue, Boolean includePrivateKey)
at Altiris.NS.StandardItems.CertificateConfiguration.NSCertificateConfigurationItem.GetNSWebCertificateGuid()
at Altiris.NS.StandardItems.CertificateConfiguration.CertificateConfigurationManager.NSCertificateItemLoader.LoadAndRegisterItems()
at Altiris.NS.StandardItems.CertificateConfiguration.CertificateConfigurationManager.InitializeCertificateCache(Type type)
at Altiris.NS.StandardItems.CertificateConfiguration.CertificateConfigurationManager.LoadCertificatesByType(Type type, CertificateConsumer eConsumer, DataTable dt)
at Altiris.NS.StandardItems.CertificateConfiguration.CertificateConfigurationManager.LoadCertificates(CertificateConsumer eConsumer)
at Altiris.NS.UI.Admin.Configuration.CertificateManagementPage.LoadDataSource(CertificateConsumer eConsumer, CertificateStatus eStatus)
at Altiris.NS.UI.Admin.Configuration.CertificateManagementPage.Page_Load(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at Altiris.NS.UI.Controls.PageCachePage.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

Multiple errors referring to "Unknown error (0x80005000)"

Environment

ITMS 8.0 or later

Cause

Issues accessing or reading "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys". This is a Microsoft issue caused by having problems encrypting/decrypting.  IIS depends upon this key for encryption/decryption of metabase keys. 

 

Resolution

Since this is an issue with Microsoft's MachineKeys, the following steps are provided as best effort. We recommend contacting Microsoft Support if the mentioned steps doesn't solve the issue.

Try the following:

A) Give your user (In our case, the «user» should be NS «App Identity») Full Access to the following folder: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys (or C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys in previous OS versions).
Note:
Make sure also that the MachineKeys folder has Full Control for both Administrators and System. Make sure that the “C23” key has "Administrators" and "System" Full Control permissions set on it.
 

We found that in some occasions the permissions in the MachineKeys directory needed to have the service account (App Identity) added instead of just administrators group:

  1. Change security on directory:
    • C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
  2. Add your App Identity account, with the following minimum "Advanced" set of permissions:
    • Create files / write data

    • Create folders / append data

    • Write attributes

    • Write extended attributes

    • Delete

  3. After hitting apply, accept that 5 directories were "Access is denied", if any.

Now, if providing Full Control permissions to your Application Identity account doesn't solve the problem, see if you have the following issue with messages about "The IIS Admin Service terminated with the following service-specific error: Invalid Signature" as mentioned in TECH253250. Even check if you have issues starting the ApplPools like mentioned in TECH251748 "Application Pools fails to start. Unable to load SMP Console. Error: The worker process for application pool 'SMP Server AppPool' encountered an error 'Failed to decrypt attribute 'password' because the keyset does not exist".

B) If the steps suggested in step A above, please review this Microsoft Article: Windows Troubleshooting: could not start the IIS Admin Service - error code -2146893818

  1. Uninstall and then reinstall just the "IIS 6 Metabase Compatibility" Role Service should help you to solve some issues accessing to the private keys that our pages are trying to access by IIS:
    1. Open "Server Manager" for your Windows Server
    2. Under Manage, select "Remove Roles and Features"
    3. Select "Server Roles" on the left tree
    4. Under "Roles", expand "Web Server (IIS)>"Management Tools">IIS 6 Management Compatibility
    5. uncheck "IIS 6 Metabase Compatibility". Follow the next steps provided by the UI.
    6. Reinstall "IIS 6 Metabase Compatibility" by using "Add Roles and Features" in "Server Manager"

Additional Information

172641 "Application Pools fails to start. Unable to load SMP Console. Error: The worker process for application pool 'SMP Server AppPool' encountered an error 'Failed to decrypt attribute 'password' because the keyset does not exist"

212574 "MachineKeys folder is growing too large"