Here are the symptoms:
You start receiving calls from users that one of your legacy web apps isn't coming up, so you log into your IIS 5 server to check it out. When you pull up the services, you notice that the WWW Publishing service isn't running. When you attempt to start it, you're met with this ugly error:
Attempting to start INETManager (start > run > Inetmgr) will generate an equally unwelcome error that will say something like
The specified handle is invalid. Do you want to continue to connect in the future?
This issue occurs when the machine key is under stress, which causes the Crypto subsystem to incorrectly reset the value of the MachineGUID key and in turn makes the original IIS machine key invalid and the IIS admin service unable to access the metabase.
To resolve this issue, go through the following steps:
Backup and delete the existing machine key
1. Open windows explorer, and navigate to C:\Documents and Settings\All Users\Application Data\Microsoft\CryptoRSAMa
chineKeys . Verify that you have hidden files/folders turned on, otherwise you won't be able to see this directory.
2. Right click on the Name field, and select Created, so that the details will show you the created date/time of each file.
3. Look for files that start with c23. You should have 2 of them at this point and they will look similar to this:
4. Backup a copy of the c23 file which has the most recent created date, and then delete it. In my example above I'm backing up and then deleting the one that was created on 1/11/2009, which matches up with the time that the problems started occurring on this server.
The next step of the process is to rename the remaining machine key to the correct value.
5. Open up the registry editor (start > run > regedit) and navigate to HKEY_LOCAL_MACHINE\SOFTWAR
6. Open the MachineGUID key, and make note of the value. I just copy/paste this value into notepad.
7. Close the registry, and navigate back to your explorer window which contains the machine keys.
8. Right click on the remaining file that begins with c23 and click Rename. Delete everything after the underscore, and replace it with the value you copied from step #6.
For example, if the MachineGuid entry from the registry had a value of 1b2162a0-ed5a-4d56-bd8a-8f
, you would add this value to the file name after the underscore so that the file name would be similar to the following:
9. After renaming the file, go back into your services and restart the IIS Admin Service. Make sure you restart the IIS Admin Service and not just the WWW service! Attempting to only restart the WWW service will result in the same error.
Per Microsoft, a hotfix ( http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=884872&kbln=en-us
) for this issue is available but I have not tested it yet at this point. If you must remain on IIS 5 then this hotfix may be your only alternative to prevent the issue from happening again, but it would be my advice to move your applications to IIS 6 or IIS 7 if at all possible.
Additional instructions for SSL Websites
I had to take some additional steps to get everything functioning when I ran into this issue on an externally facing IIS 5 server, which had web apps utilizing SSL. After doing everything listed above I was able to hit my websites now over http with no problem, but when I attempted to hit the one site using SSL over https I received a Page Cannot be displayed. I checked out the System log and saw a ton of entries like this:
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0×80090016.
The fix for this was pretty simple. I just had to remove the cert from my website in IIS, open the Certificates snap-in within an MMC, delete the certificate, and then re-import it and assign it to my site. Luckily I had a copy of the .pfx handy so getting it re-applied was not an issue.
I hope this article will prove helpful to some of you out there, as I know it was a pain for me the first time I came across it. Let this also serve as a great reminder for all of us that we must get everything off of IIS 5 ASAP or it's just a matter of time before your production critical web servers run into an issue like this.