Getting: Unable to attach private key to certificate. Access is denied.
search cancel

Getting: Unable to attach private key to certificate. Access is denied.

book

Article ID: 175518

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

The customer reported an issue while trying to update or refresh the "Certificate Management" page (under SMP Console> Settings>All Settings> Notification Server).
The NS logs showed errors like this one:

Entry 1:

Unable to attach private key to certificate.

Access is denied.
   [System.Security.Cryptography.CryptographicException @ mscorlib]
   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.Utils._GenerateKey(SafeProvHandle hProv, Int32 algid, CspProviderFlags flags, Int32 keySize, SafeKeyHandle& hKey)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
   at Altiris.Resource.StandardResources.DigitalCertificate.AttachPrivateKey(String sPrivateKeyContent)

Unable to attach private key to certificate.

Access is denied.
   [System.Security.Cryptography.CryptographicException @ mscorlib]
   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.Utils._GenerateKey(SafeProvHandle hProv, Int32 algid, CspProviderFlags flags, Int32 keySize, SafeKeyHandle& hKey)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
   at Altiris.Resource.StandardResources.DigitalCertificate.AttachPrivateKey(String sPrivateKeyContent)

Exception logged from:
   at Altiris.Resource.StandardResources.DigitalCertificate.AttachPrivateKey(String)
   at Altiris.Resource.StandardResources.DigitalCertificate.EnsureInitialized()
   at Altiris.NS.StandardItems.CertificateConfiguration.CertificateDetails..ctor(Altiris.Resource.StandardResources.DigitalCertificate)
   at Altiris.NS.StandardItems.CertificateConfiguration.NSCertificateConfigurationItem.GetCertificateDetails(System.Guid, Int32, System.Guid)
   at Altiris.NS.StandardItems.CertificateConfiguration.NSCertificateConfigurationItem.GetDetails(System.Guid, System.Collections.Specialized.NameValueCollection)
   at Altiris.Web.NS.Services.GetItemDetails.ProcessRequest(System.Web.HttpContext)
   at System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(System.Web.HttpApplication+IExecutionStep)
   at System.Web.HttpApplication.ExecuteStep(System.Web.HttpApplication+IExecutionStep, Boolean&)
   at System.Web.HttpApplication+PipelineStepManager.ResumeSteps(Exception)
   at System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, AsyncCallback)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)
   at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr, System.Web.RequestNotificationStatus&)
   at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr, System.Web.RequestNotificationStatus&)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)

HTTP [GET]: https://mySMP.domian.com/Altiris/NS/GetItemDetails.aspx?ItemGuid=fbdcc503-ccae-4619-908d-29afc74a713a&DetailsProvider=4e4ff680-078a-47dc-9928-23cb833145d0
 ip: [10.16.169.44]; languages: [en-US];
 response: [200 OK]; x-smp-nsversion: [8.5.4249.0];

-----------------------------------------------------------------------------------------------------
Date: 7/24/2019 12:06:24 PM, Tick Count: 179628031 (2.01:53:48.0310000), Size: 3.45 KB
Process: w3wp (21052), Thread ID: 1724, Module: Altiris.Resource.dll
Priority: 1, Source: Altiris.Resource.StandardResources.DigitalCertificate.AttachPrivateKey

Environment

ITMS 8.5

Cause

Issues accessing or reading "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys". This is a Microsoft issue caused by having problems encrypting/decrypting.  IIS depends upon this key for encryption/decryption of metabase keys. 

Resolution

Since this is an issue with Microsoft's MachineKeys, the following steps are provided as best effort. We recommend contacting Microsoft Support if the mentioned steps doesn't solve the issue.

Try the following:

A) Give your user (In our case, the «user» should be NS «App Identity») Full Access to the following folder: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys (or C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys in previous OS versions).
Note: Make sure also that the MachineKeys folder has Full Control for both Administrators and System. Make sure that the “C23” key has "Administrators" and "System" Full Control permissions set on it.
 

We found that in some occasions the permissions in the MachineKeys directory needed to have the service account (App Identity) added instead of just administrators group:

  1. Change security on directory:
    • C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
  2. Add your App Identity account, with the following minimum "Advanced" set of permissions:

    • Create files / write data

    • Create folders / append data

    • Write attributes

    • Write extended attributes

    • Delete

  3. After hitting apply, accept that 5 directories were "Access is denied", if any.

Now, if providing Full Control permissions to your Application Identity account doesn't solve the problem, see if you have the following issue with messages about "The IIS Admin Service terminated with the following service-specific error: Invalid Signature" as mentioned in TECH253250. Even check if you have issues starting the ApplPools like mentioned in TECH251748 "Application Pools fails to start. Unable to load SMP Console. Error: The worker process for application pool 'SMP Server AppPool' encountered an error 'Failed to decrypt attribute 'password' because the keyset does not exist".

B) If the steps suggested in step A above, please review this Microsoft Article: Windows Troubleshooting: could not start the IIS Admin Service - error code -2146893818

  1. Uninstall and then reinstall just the "IIS 6 Metabase Compatibility" Role Service should help you to solve some issues accessing to the private keys that our pages are trying to access by IIS:
    1. Open "Server Manager" for your Windows Server
    2. Under Manage, select "Remove Roles and Features"
    3. Select "Server Roles" on the left tree
    4. Under "Roles", expand "Web Server (IIS)>"Management Tools">IIS 6 Management Compatibility
    5. uncheck "IIS 6 Metabase Compatibility". Follow the next steps provided by the UI.
    6. Reinstall "IIS 6 Metabase Compatibility" by using "Add Roles and Features" in "Server Manager"
Powered by Wolken Software