The customer reported an issue while trying to update or refresh the "Certificate Management" page (under SMP Console> Settings>All Settings> Notification Server).
The NS logs showed errors like this one:
Entry 1:
Unable to attach private key to certificate.
Access is denied.
[System.Security.Cryptography.CryptographicException @ mscorlib]
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.Utils._GenerateKey(SafeProvHandle hProv, Int32 algid, CspProviderFlags flags, Int32 keySize, SafeKeyHandle& hKey)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at Altiris.Resource.StandardResources.DigitalCertificate.AttachPrivateKey(String sPrivateKeyContent)
Unable to attach private key to certificate.
Access is denied.
[System.Security.Cryptography.CryptographicException @ mscorlib]
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.Utils._GenerateKey(SafeProvHandle hProv, Int32 algid, CspProviderFlags flags, Int32 keySize, SafeKeyHandle& hKey)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at Altiris.Resource.StandardResources.DigitalCertificate.AttachPrivateKey(String sPrivateKeyContent)
Exception logged from:
at Altiris.Resource.StandardResources.DigitalCertificate.AttachPrivateKey(String)
at Altiris.Resource.StandardResources.DigitalCertificate.EnsureInitialized()
at Altiris.NS.StandardItems.CertificateConfiguration.CertificateDetails..ctor(Altiris.Resource.StandardResources.DigitalCertificate)
at Altiris.NS.StandardItems.CertificateConfiguration.NSCertificateConfigurationItem.GetCertificateDetails(System.Guid, Int32, System.Guid)
at Altiris.NS.StandardItems.CertificateConfiguration.NSCertificateConfigurationItem.GetDetails(System.Guid, System.Collections.Specialized.NameValueCollection)
at Altiris.Web.NS.Services.GetItemDetails.ProcessRequest(System.Web.HttpContext)
at System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStepImpl(System.Web.HttpApplication+IExecutionStep)
at System.Web.HttpApplication.ExecuteStep(System.Web.HttpApplication+IExecutionStep, Boolean&)
at System.Web.HttpApplication+PipelineStepManager.ResumeSteps(Exception)
at System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, AsyncCallback)
at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)
at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr, System.Web.RequestNotificationStatus&)
at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr, System.Web.RequestNotificationStatus&)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)
HTTP [GET]: https://mySMP.domian.com/Altiris/NS/GetItemDetails.aspx?ItemGuid=fbdcc503-ccae-4619-908d-29afc74a713a&DetailsProvider=4e4ff680-078a-47dc-9928-23cb833145d0
ip: [10.16.169.44]; languages: [en-US];
response: [200 OK]; x-smp-nsversion: [8.5.4249.0];
-----------------------------------------------------------------------------------------------------
Date: 7/24/2019 12:06:24 PM, Tick Count: 179628031 (2.01:53:48.0310000), Size: 3.45 KB
Process: w3wp (21052), Thread ID: 1724, Module: Altiris.Resource.dll
Priority: 1, Source: Altiris.Resource.StandardResources.DigitalCertificate.AttachPrivateKey
ITMS 8.5
Issues accessing or reading "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys". This is a Microsoft issue caused by having problems encrypting/decrypting. IIS depends upon this key for encryption/decryption of metabase keys.
Since this is an issue with Microsoft's MachineKeys, the following steps are provided as best effort. We recommend contacting Microsoft Support if the mentioned steps doesn't solve the issue.
Try the following:
A) Give your user (In our case, the «user» should be NS «App Identity») Full Access to the following folder: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys (or C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys in previous OS versions).
Note: Make sure also that the MachineKeys folder has Full Control for both Administrators and System. Make sure that the “C23” key has "Administrators" and "System" Full Control permissions set on it.
We found that in some occasions the permissions in the MachineKeys directory needed to have the service account (App Identity) added instead of just administrators group:
Create files / write data
Create folders / append data
Write attributes
Write extended attributes
Delete
Now, if providing Full Control permissions to your Application Identity account doesn't solve the problem, see if you have the following issue with messages about "The IIS Admin Service terminated with the following service-specific error: Invalid Signature" as mentioned in TECH253250. Even check if you have issues starting the ApplPools like mentioned in TECH251748 "Application Pools fails to start. Unable to load SMP Console. Error: The worker process for application pool 'SMP Server AppPool' encountered an error 'Failed to decrypt attribute 'password' because the keyset does not exist".
B) If the steps suggested in step A above, please review this Microsoft Article: Windows Troubleshooting: could not start the IIS Admin Service - error code -2146893818