Unable To Start or Modify DefaultAppPool Due To HRESULT 0x80090016
book
Article ID: 378785
calendar_today
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Attempting to start or modify the DefaultAppPool in IIS results in a message similar to:
Keyset does not exist (Exception from HRESULT: 0x80090016)
Environment
App Control Server: All Supported Versions
Microsoft Windows: All Supported Versions
Microsoft IIS: All Supported Versions
Cause
This typically happens when the Key Set is corrupted or the Private Key for the Certificate bound to Port 443 is corrupt/missing on the application server.
Resolution
Log in to the application server hosting the Console as the Carbon Black Service Account.
Temporarily stop the services:
Carbon Black App Control Reporter
Carbon Black App Control Server
Verify the current certificate bound to Port 443 in IIS:
Go to: Start > Run > inetmgr > OK
Expand: SERVERNAME > Sites
Right click Parity Console Web > Edit Bindings > https > Edit
Click View and note the following details, as they will be needed in future steps:
Issued To: Should match Server Address and may be needed for new certificate.
Issued From: Helpful for locating a backup if lists a Certificate Authority.
Subject Alternative Name: Indicates old Server Address(es), may be needed for new certificate.
Valid from/to: Helpful for locating a backup.
Serial Number: Helpful for locating a backup
Delete the existing certificate from IIS Manager:
In IIS Manager: Select the SERVERNAME > Server Certificates
Right click the relevant Certificate > Remove
If a backup of the certificate with Private Keys is found or a Certificate Authority can re-issue, import and bind the backup.
If a backup of the certificate does not exist and using a Self-signed Certificate, generate a new one using PowerShell:
Open an administrative PowerShell and issue the relevant command using details from Step 3:
Without Subject Alternative Name: New-SelfSignedCertificate -KeyUsage DigitalSignature -KeyUsageProperty All -FriendlyName 'Some Identifying Name' -DnsName ServerAddress
With Subject Alternative Name: New-SelfSignedCertificate -KeyUsage DigitalSignature -KeyUsageProperty All -FriendlyName 'Some Identifying Name' -DnsName ServerAddress, AlternativeAddress
Click Start > Run > certlm.msc > OK
Expand Personal > Certificates and verify the new certificate is shown.
Once confirmed, export a backup with the Private Key:
Right click relevant Certificate > All Tasks > Export > Next
Yes, export the private key > Next
Check: Export all extended properties > Next
Specify a Password > Next
Specify a Location > Next > Finish
In IIS Manager
Expand: SERVERNAME > Server Certificates > verify new certificate is shown (may require exit/re-open)
Expand: SERVERNAME > Sites > Right click Parity Console Web > Edit Bindings > https > Edit
SSL Certificate > select the new Certificate > OK > Close
Left click: SERVERNAME and from the right-hand menu > Restart
Start the services:
Carbon Black App Control Reporter
Carbon Black App Control Server
Log in to the Console and navigate to Assets > Computers.
If Agents do not start reconnecting, the Agent Server Communication Certificate will need to also be re-imported.