Certificate issue on Server 2012 Essentials

CraftySpaz used Ask the Experts™
In attempting to resolve some recurring SChannel failure events we applied the suggested NTFS permissions to the Machine Keys folder (under ProgramData) and exported a certificate from the personal store.

After exporting the certificate from the personal store on Server 2012 Essentials the server began to have problems.  Among the problems is that 19 services will not start.  Most, if not all, of these services are related to the Essentials Role/Experience.  Remote users are unable to login to the RWA portal although it does show up in remote browser.

The crux of this seems to a problem(s) with certificates.  The event log is filled with various failures of which many refer to Keys / Cryptography.  For example the Provider Registry Service, on which many of the Essentials services rely, will not start because:
Event 1025 (dot not runtime exception)
Message: Unhandled exception in OnStart: System.ArgumentException: It is likely that certificate 'CN=SERVERNAME' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist

We also have Event 36870
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.
Also, when we try to “Manage Private Keys” on the SERVERNAME Personal certificate we receive the error “No keys found for certificate!”

Also, Event 36888
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

What have we done so far:
Reimported the previously exported Certificate CN=domain-Servername=CA which seems to be fine.
Reviewed the permissions for C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys using MS KB278381 as reference
We are able to “Manage Private Keys” for all certs in the personal store except for CN=SERVERNAME

Though we'd try this platform before going to MS with a support case so any help would be appreciated.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®


Cert Info The cert in question indicates that the Private key is there but when an attempt is made to manage it we get the "No keys found for certificate!" response.


How about help with regenerating the certificate and properly installing / assigning it where needed?

Is this an internal certificate or from a public 3rd party?
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Hah ---- sorry. Didn't see the expiry date. This is an internal certificate.
This certificate has the subjectname as the server name then?

could you please give some information on trust chain?

for regenerating certificate;

Create an INF file based on the information below:

;----------------- request.inf -----------------

Signature= $Windows NT$


Subject = "CN=FQDN of server, OU=IT dep, O=Firstpoint-LAB, L=Bergen, S=Hordaland, C=NO" ;replace with your info
KeyLength = 2048
Exportable = TRUE
FriendlyName = LANTIME-CERT
MachineKeySet = TRUE
ProviderName = Microsoft RSA SChannel Cryptographic Provider
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0


OID= ; this is for Server Authentication


; SAN= dns=FQDN_you_require&dns=other_FQDN_you_require

Save .inf file as c:\request.inf
Open CMD as administrator and run following command

certreq -new c:\request.inf c:\request.req

Then, on your CA
certreq -submit "certificateTemplate:YOURTEMPLATENAME" c:\request.req

Then you'll be able to save a .cer file
certreq -accept certificate.cer on server where you created the request


Hi and thanks for responding.

The cert in question is generated automatically when you setup the server 2012 essentials as is self-signed as you deduced.

We were able to generate a new certificate using the MMC add-in once we added "Authenticated Users" group with full control to the Security properties on the template "Windows Server Solutions Computer Certificate Template".  

That said, we aren't sure what to do with it at this point or what to do with the bad Cert, if anything.  Based upon the event log many Essentials services will not start as they still seem to be using the bad cert.  Any idea how we change this functionality to utilize the new certificate?

The following services will not start:

- Windows Server Addins Infrastructure Service
- Windows Server Client Computer Backup Provider Service
- Windows Server Client Computer Backup Service
- Windows Server Client File Backup Provider Service
- Windows Server Devices Provider
- Windows Server Domain Name Management
- Windows Server Health Report Service
- Windows Server Health Service
- Windows Server Identity Management Service
- Windows Server Media Streaming Service
- Windows Server Networking Helper Service
- Windows Server Notifications Provider Service
- Windows Server Office 365 Integration Service (this client uses O365)
- Windows Server Password Synchronization Service
- Windows Server Remote Connection Management Service
- Windows Server Remote Web Access Administration Service
- Windows Server Server Backup Service
- Windows Server Service Provider Registry
- Windows Server Settings Provider
- Windows Server SQM Service

SChannel events 36874 & 36888 persist

Any additional input would be appreciated.
Finally resolved this issue.

A long story short goes like this:

We had to Reinstall the CA role in Windows Server 2012 Essentials (http://support.microsoft.com/kb/2795825)
Then PS -> Add-WssLocalMachinecert
Then uninstall all client Essentials connectors.
Then unjoin all clients from domain (move to workgroup) - restarts
Then rejoin all clients using the Essentials Connector http://SERVER/connect - restarts
Then another round of client restarts cause some client won't join the first time...
Then install the Remote Desktop Gateway UI MMC via command line
Then update / reassign the correct 3rd party SSL cert for RDP via RWA

Case closed finally...

Good one :-) !


No one offered much help so once we resolved the issue we wanted to share it with others.
Hi CraftySpaz,

Thanks so much for documenting this. I am going through the same mess with 2012 Essentials and Private keys gone. In fact the CA service will not even run because of a missing IISWASKey file in the MachineKeys directory.

We purchased Essentials for this client because of the pricing. Was long before my time but now I am the one stuck managing. We are using the server in a very basic role. Only DC/SMB shares/DHCP and DNS.

Do you rejoin the PCs for good measure? Or did you have to do it after you noticed a problem reinstalling the role?

Adam @ NextStep Technology


Hi Adam,

The disjoin and rejoin was a necessary step because of new certs.  When the workstations rejoined they received new certs from the server.  The rejoining was performed after the server role reinstall task was complete.

Hope this helps.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial