ASP.NET 2.0 Event ID 1334 Keyset does not exist

Windows 2012 R2 Standard 64 bit
SharePoint 2010 SP2 Farm 64 bit

Received this error today

Source:        ASP.NET 2.0.50727.0
Date:          5/31/2015 6:11:01 AM
Event ID:      1334
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SERV013.FQDN.com
Description:
An unhandled exception occurred and the process was terminated.

Application ID: DefaultDomain

Process ID: 5964

Exception: System.Security.Cryptography.CryptographicException

Message: Keyset does not exist


StackTrace:    at System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr)
   at System.Security.Cryptography.SafeProvHandle._FreeCSP(IntPtr pProvCtx)
   at System.Security.Cryptography.SafeProvHandle.ReleaseHandle()
   at System.Runtime.InteropServices.SafeHandle.InternalFinalize()
   at System.Runtime.InteropServices.SafeHandle.Dispose(Boolean disposing)
   at System.Runtime.InteropServices.SafeHandle.Finalize()
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="ASP.NET 2.0.50727.0" />
    <EventID Qualifiers="49152">1334</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-05-31T10:11:01.000000000Z" />
    <EventRecordID>16658</EventRecordID>
    <Channel>Application</Channel>
    <Computer>SERV013.FQDN.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>An unhandled exception occurred and the process was terminated.

Application ID: DefaultDomain

Process ID: 5964

Exception: System.Security.Cryptography.CryptographicException

Message: Keyset does not exist


StackTrace:    at System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr)
   at System.Security.Cryptography.SafeProvHandle._FreeCSP(IntPtr pProvCtx)
   at System.Security.Cryptography.SafeProvHandle.ReleaseHandle()
   at System.Runtime.InteropServices.SafeHandle.InternalFinalize()
   at System.Runtime.InteropServices.SafeHandle.Dispose(Boolean disposing)
   at System.Runtime.InteropServices.SafeHandle.Finalize()</Data>
  </EventData>
</Event>

Any thoughts
LVL 23
Thomas GrassiSystems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
maybe a permissions problem on the certificate. E.g. under your own user context, you have access to that certificate's private key. But your WCF service hosted under IIS, or as a Windows Service, it is running (most of time) under a service account (Network Service, Local Service or some other restricted account).
See steps esp 4 and 5 "How to: Make X.509 Certificates Accessible to WCF" https://msdn.microsoft.com/en-us/library/aa702621.aspx

Common errors for "Keyset does not exist"
e.g. (under "X.509 Certificates") - Private key access denied and  Private key not found, and there are other for "Decryption"
https://msdn.microsoft.com/en-us/library/ms819978.aspx
Thomas GrassiSystems AdministratorAuthor Commented:
btan

Thanks for responding.

Since this is most likely an IIS issue then the account is NETWORK SERVICE

But not sure where to get that long number information from for step number 5


Thoughts?
btanExec ConsultantCommented:
For windows 2012, you can check out icacls.exe which should be available in the resource kit for the WIn OS but I think you cal look into this instead
The security properties of the private key file can be set through the certificate MMC snap-in. (Start -> run -> "mmc" -> Add snap-in -> Certificates -> Local Machine/Personal cert store). You need to give the application pool user read access to the private key file.
 
http://www.dotnetnoob.com/2011/01/how-to-give-iis-access-to-private-keys.html

or this solution stated using the Certificates Tool from WSE 3.0. and
To update the permissions, you need to click on the View Private Key File Properties… button. The dialog that opens is the usual file properties dialog so it should look familiar and updating the security settings should be straight forward. You only need to allow Read & Execute and Read permissions for the account running your app.
https://benoit808.wordpress.com/2008/10/31/cryptographicexception-the-handle-is-invalid/
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Thomas GrassiSystems AdministratorAuthor Commented:
btan

I was headed down this way I know it is a security issue.

I ran MMC but do not know which certificate to look for here

Will the WSE Tool run on Windows 2012 Server with IIS 8.5?

But I still need to know which certificate to change.

I know which user account it is now found that from the application pool

the icacls program is installed on my Windows 2012 server

The user account is spfarm which is a domain user account.
Thomas GrassiSystems AdministratorAuthor Commented:
Btan

Still struggling with this one

How do I know which certificate to modify?

Thanks

Tom
btanExec ConsultantCommented:
I am relooking at the approach - there should be some certificate you are using for this apps, isnt it - you know best how this error will trigger and likely during some crypto operation like signing or encryption ...

... as to verify the keyset, I see using the WSE tool will be better then since it drill to the certstore and identify correspondence private key. Once you run the WSE tool
https://benoit808.wordpress.com/2008/10/31/cryptographicexception-the-handle-is-invalid/

- Choose the location of the certificate for which you want to alter permissions ("in my case it is on the Local Computer in the Personal store") and click on Open Certificate.
- To update the permissions, you need to click on the View Private Key File Properties… button.
- You only need to allow Read & Execute and Read permissions for the account running your app.

Tool info - https://msdn.microsoft.com/en-us/library/ms824698.aspx
download of wse tool -http://www.microsoft.com/en-us/download/details.aspx?id=6545
Thomas GrassiSystems AdministratorAuthor Commented:
btan

yes I installed the WSE Tool

On Windows 2012 Server it installed but I can not find the program wsecertificate2.exe on the server.

Thoughts?
btanExec ConsultantCommented:
Do download it from Web Services Enhancements (WSE) 3.0 for Microsoft .NET for the tools as the previous link is the runtime (missed that out, pardon me).
Note: WSE 3.0 is not supported if installed on a computer with a version of the .NET Framework earlier than 2.0 or a version of Visual Studio earlier than Visual Studio 2005.
https://www.microsoft.com/en-us/download/details.aspx?id=14089

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Thomas GrassiSystems AdministratorAuthor Commented:
Btan

Good news the download link you just gave me was correct.

I now can use the WSE Tool

My only problem now is which certificate is what I need to find

The error message does not point to what needs to be corrected.

I loaded the certificates in MMC under Local Computer I see many Certificates

Thoughts?
btanExec ConsultantCommented:
It should be your personnel store (Local Machine / Personal Store or Current User / Personal Store (which often is the default and only be accessible to the user that is currently logged in, which means if you want your webserver to access it, )) per se, rightfully the code will grab one of them - and good time to find out. though not easy to enumerate and test one by one on the permission stuff but if you do not have those code, we are none the wiser .. one example, in http://blogs.msdn.com/b/saurabh_singh/archive/2009/07/03/required-permissions-when-calling-a-web-service-using-client-certificate-for-authentication-in-an-asp-net-web-application.aspx

Supposedly, in web app, user login whose AppPool will likely be using NETWORK SERVICE to run web application. And adding the "NETWORK SERVICE" to have the Read and Read / Execute permissions is mostly sufficient for running apps to read the selected private key...now is really to pinpoint the key as shared...

am thinking of enabling an application to throw detailed WSE error messages or event tracing but can be tedious likewise ... https://msdn.microsoft.com/en-us/library/aa529559.aspx
Thomas GrassiSystems AdministratorAuthor Commented:
Hello

Using the war tool I went thru each certificate
Local computer
Under every store name I found
Store names
Intermediate certificate authorities
Untrusted certificates
Trust root certification authorities
Trusted people

The only certificate that opened the
View private key file properties
Was WMSVC-serv013

All other certificates gave this
Private key does not exist or is not accessible

The forefrontidentitymanager certificate gave
Unhandled exception has occurred in your application


Tried same with current user

Same results

Thoughts?
btanExec ConsultantCommented:
seems like the private key (pfx and only has public key) is missing and the error msg can be due to that as well...https://msdn.microsoft.com/en-us/library/aa529292.aspx

some hints and may be (2) for your case, you have to get the cert re-imported ...need more work
If you have already tried all the troubleshooting steps mentioned in this article, then there are chances that either:
 1.Service account have issues due to group policies. Trying all the steps with any service account would help to isolate the issue.
 2.Could be the certificate is not exported properly with private key. Re-exporting the certificate properly may help.
 3.Some other unknown issue. In that case you can try using process monitor to analyze overall process failure
http://blogs.msdn.com/b/servergeeks/archive/2014/07/10/keyset-does-not-exist-error.aspx
Thomas GrassiSystems AdministratorAuthor Commented:
BTAN

Have not see this error for a while

Maybe the one certificate I updated did the trick.

If it pops up again I will post again

Thanks for your help
btanExec ConsultantCommented:
thanks for sharing
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.