Unable To Start or Modify DefaultAppPool Due To HRESULT 0x80090016
search cancel

Unable To Start or Modify DefaultAppPool Due To HRESULT 0x80090016

book

Article ID: 378785

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Attempting to start or modify the DefaultAppPool in IIS results in a message similar to:

Keyset does not exist (Exception from HRESULT: 0x80090016)

Environment

  • App Control Server: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • Microsoft IIS: All Supported Versions

Cause

This typically happens when the Key Set is corrupted or the Private Key for the Certificate bound to Port 443 is corrupt/missing on the application server.

Resolution

  1. Log in to the application server hosting the Console as the Carbon Black Service Account.
  2. Temporarily stop the services:
    • Carbon Black App Control Reporter
    • Carbon Black App Control Server
  3. Verify the current certificate bound to Port 443 in IIS:
    1. Go to: Start > Run > inetmgr > OK
    2. Expand: SERVERNAME > Sites
    3. Right click Parity Console Web > Edit Bindings > https > Edit
    4. Click View and note the following details, as they will be needed in future steps:
      • Issued To: Should match Server Address and may be needed for new certificate.
      • Issued From: Helpful for locating a backup if lists a Certificate Authority.
      • Subject Alternative Name: Indicates old Server Address(es), may be needed for new certificate.
      • Valid from/to: Helpful for locating a backup.
      • Serial Number: Helpful for locating a backup
  4. Delete the existing certificate from IIS Manager:
    1. In IIS Manager: Select the SERVERNAME > Server Certificates
    2. Right click the relevant Certificate > Remove
  5. If a backup of the certificate with Private Keys is found or a Certificate Authority can re-issue, import and bind the backup.
  6. If a backup of the certificate does not exist and using a Self-signed Certificate, generate a new one using PowerShell:
    1. Open an administrative PowerShell and issue the relevant command using details from Step 3:
      Without Subject Alternative Name:
      New-SelfSignedCertificate -KeyUsage DigitalSignature -KeyUsageProperty All -FriendlyName 'Some Identifying Name' -DnsName ServerAddress

      With Subject Alternative Name:
      New-SelfSignedCertificate -KeyUsage DigitalSignature -KeyUsageProperty All -FriendlyName 'Some Identifying Name' -DnsName ServerAddress, AlternativeAddress
    2. Click Start > Run > certlm.msc > OK
    3. Expand Personal > Certificates and verify the new certificate is shown.
    4. Once confirmed, export a backup with the Private Key: 
      • Right click relevant Certificate > All Tasks > Export > Next
      • Yes, export the private key > Next
      • Check: Export all extended properties > Next
      • Specify a Password > Next
      • Specify a Location > Next > Finish
    5. In IIS Manager
      • Expand: SERVERNAME > Server Certificates > verify new certificate is shown (may require exit/re-open)
      • Expand: SERVERNAME > Sites > Right click Parity Console Web > Edit Bindings > https > Edit
      • SSL Certificate > select the new Certificate > OK > Close
      • Left click: SERVERNAME and from the right-hand menu > Restart
  7. Start the services:
    • Carbon Black App Control Reporter
    • Carbon Black App Control Server
  8. Log in to the Console and navigate to Assets > Computers.
  9. If Agents do not start reconnecting, the Agent Server Communication Certificate will need to also be re-imported.
    • Follow these steps to import either the backup found in Step 5 or the Backup created in Step 6.
    • While importing, if prompted for an Update Schedule choose:
      • Expire the current certificate based on the update schedule
      • Update schedule: 1 minutes from now