Certificate issue on Server 2012 Essentials

Preface:
In attempting to resolve some recurring SChannel failure events we applied the suggested NTFS permissions to the Machine Keys folder (under ProgramData) and exported a certificate from the personal store.

Problem/Symptoms:
After exporting the certificate from the personal store on Server 2012 Essentials the server began to have problems.  Among the problems is that 19 services will not start.  Most, if not all, of these services are related to the Essentials Role/Experience.  Remote users are unable to login to the RWA portal although it does show up in remote browser.

The crux of this seems to a problem(s) with certificates.  The event log is filled with various failures of which many refer to Keys / Cryptography.  For example the Provider Registry Service, on which many of the Essentials services rely, will not start because:
Event 1025 (dot not runtime exception)
Message: Unhandled exception in OnStart: System.ArgumentException: It is likely that certificate 'CN=SERVERNAME' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist

We also have Event 36870
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.
Also, when we try to “Manage Private Keys” on the SERVERNAME Personal certificate we receive the error “No keys found for certificate!”

Also, Event 36888
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

What have we done so far:
Reimported the previously exported Certificate CN=domain-Servername=CA which seems to be fine.
Reviewed the permissions for C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys using MS KB278381 as reference
We are able to “Manage Private Keys” for all certs in the personal store except for CN=SERVERNAME

Though we'd try this platform before going to MS with a support case so any help would be appreciated.
CraftySpazAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CraftySpazAuthor Commented:
Cert Info The cert in question indicates that the Private key is there but when an attempt is made to manage it we get the "No keys found for certificate!" response.
0
CraftySpazAuthor Commented:
How about help with regenerating the certificate and properly installing / assigning it where needed?
0
Jakob DigranesSenior ConsultantCommented:
Is this an internal certificate or from a public 3rd party?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Jakob DigranesSenior ConsultantCommented:
Hah ---- sorry. Didn't see the expiry date. This is an internal certificate.
This certificate has the subjectname as the server name then?

could you please give some information on trust chain?

for regenerating certificate;

Create an INF file based on the information below:

;----------------- request.inf -----------------
[Version]

Signature= $Windows NT$

[NewRequest]

Subject = "CN=FQDN of server, OU=IT dep, O=Firstpoint-LAB, L=Bergen, S=Hordaland, C=NO" ;replace with your info
KeyLength = 2048
Exportable = TRUE
FriendlyName = LANTIME-CERT
MachineKeySet = TRUE
ProviderName = Microsoft RSA SChannel Cryptographic Provider
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

[RequestAttributes]

; SAN= dns=FQDN_you_require&dns=other_FQDN_you_require
;-----------------------------------------------

Save .inf file as c:\request.inf
Open CMD as administrator and run following command

certreq -new c:\request.inf c:\request.req

Then, on your CA
certreq -submit "certificateTemplate:YOURTEMPLATENAME" c:\request.req

Then you'll be able to save a .cer file
certreq -accept certificate.cer on server where you created the request
0
CraftySpazAuthor Commented:
Hi and thanks for responding.

The cert in question is generated automatically when you setup the server 2012 essentials as is self-signed as you deduced.

We were able to generate a new certificate using the MMC add-in once we added "Authenticated Users" group with full control to the Security properties on the template "Windows Server Solutions Computer Certificate Template".  

That said, we aren't sure what to do with it at this point or what to do with the bad Cert, if anything.  Based upon the event log many Essentials services will not start as they still seem to be using the bad cert.  Any idea how we change this functionality to utilize the new certificate?

The following services will not start:

- Windows Server Addins Infrastructure Service
- Windows Server Client Computer Backup Provider Service
- Windows Server Client Computer Backup Service
- Windows Server Client File Backup Provider Service
- Windows Server Devices Provider
- Windows Server Domain Name Management
- Windows Server Health Report Service
- Windows Server Health Service
- Windows Server Identity Management Service
- Windows Server Media Streaming Service
- Windows Server Networking Helper Service
- Windows Server Notifications Provider Service
- Windows Server Office 365 Integration Service (this client uses O365)
- Windows Server Password Synchronization Service
- Windows Server Remote Connection Management Service
- Windows Server Remote Web Access Administration Service
- Windows Server Server Backup Service
- Windows Server Service Provider Registry
- Windows Server Settings Provider
- Windows Server SQM Service

SChannel events 36874 & 36888 persist

Any additional input would be appreciated.
0
CraftySpazAuthor Commented:
Finally resolved this issue.

A long story short goes like this:

We had to Reinstall the CA role in Windows Server 2012 Essentials (http://support.microsoft.com/kb/2795825)
Then PS -> Add-WssLocalMachinecert
Then uninstall all client Essentials connectors.
Then unjoin all clients from domain (move to workgroup) - restarts
Then rejoin all clients using the Essentials Connector http://SERVER/connect - restarts
Then another round of client restarts cause some client won't join the first time...
Then install the Remote Desktop Gateway UI MMC via command line
Then update / reassign the correct 3rd party SSL cert for RDP via RWA

Case closed finally...
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jakob DigranesSenior ConsultantCommented:
Good one :-) !
0
CraftySpazAuthor Commented:
No one offered much help so once we resolved the issue we wanted to share it with others.
0
NextStepTechCommented:
Hi CraftySpaz,

Thanks so much for documenting this. I am going through the same mess with 2012 Essentials and Private keys gone. In fact the CA service will not even run because of a missing IISWASKey file in the MachineKeys directory.

We purchased Essentials for this client because of the pricing. Was long before my time but now I am the one stuck managing. We are using the server in a very basic role. Only DC/SMB shares/DHCP and DNS.

Do you rejoin the PCs for good measure? Or did you have to do it after you noticed a problem reinstalling the role?

Thanks,
Adam @ NextStep Technology
0
CraftySpazAuthor Commented:
Hi Adam,

The disjoin and rejoin was a necessary step because of new certs.  When the workstations rejoined they received new certs from the server.  The rejoining was performed after the server role reinstall task was complete.

Hope this helps.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.