In attempting to resolve some recurring SChannel failure events we applied the suggested NTFS permissions to the Machine Keys folder (under ProgramData) and exported a certificate from the personal store.
After exporting the certificate from the personal store on Server 2012 Essentials the server began to have problems. Among the problems is that 19 services will not start. Most, if not all, of these services are related to the Essentials Role/Experience. Remote users are unable to login to the RWA portal although it does show up in remote browser.
The crux of this seems to a problem(s) with certificates. The event log is filled with various failures of which many refer to Keys / Cryptography. For example the Provider Registry Service, on which many of the Essentials services rely, will not start because:
Event 1025 (dot not runtime exception)
Message: Unhandled exception in OnStart: System.ArgumentException: It is likely that certificate 'CN=SERVERNAME' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail. ---> System.Security.Cryptograp
ption: Keyset does not exist
We also have Event 36870
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.
Also, when we try to “Manage Private Keys” on the SERVERNAME Personal certificate we receive the error “No keys found for certificate!”
Also, Event 36888
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
What have we done so far:
Reimported the previously exported Certificate CN=domain-Servername=CA which seems to be fine.
Reviewed the permissions for C:\ProgramData\Microsoft\C
s using MS KB278381
We are able to “Manage Private Keys” for all certs in the personal store except for CN=SERVERNAME
Though we'd try this platform before going to MS with a support case so any help would be appreciated.