Permissions of MachineKeys Folder on Server 2012

I just had a customer whose Exchange 2013 machine was acting … weird. There were issues with the OWA site loading, and some bizarre event log messages regarding SChannel errors. I began investigating these by opening the IIS console and looking at the bindings for HTTPS, which appeared good.

And then I clicked OK … the server slowed significantly (wrote thousands of messages to the event log), and then I received this message:

A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: [...])

At this moment, IIS went down. Knowing this message can happen because of a certificate validity issue, I checked the certificates console and found the certificates showed valid, with private keys in place. The event log yielded Schannel #36870 messages reading:

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.

Some quick Google-fu yielded the potential that my private keys were missing, or had some access issues. There are many articles out there to deal with this, such as this one at MSDN or this MS KB Article. But it’s a bit lacking for Server 2012. Here’s some stuff to know:

  • Some articles reference C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA, while others reference C:\Users\All Users\Application Data\Microsoft\Crypto\RSA. The one above references C:\ProgramData\Microsoft\Crypto\RSA. On Server 2012, these are all hard links to one another.
  • I had issues making this fix without first stopping the Cryptographic Services service first.
  • The article wants you to confirm that Administrators has Full Control of the MachineKeys folder, and that Everyone has the following individual permissions:
    – List Folder/Read Data, Read Attributes, Read Extended Attributes, Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Read Permissions
  • None of the articles discuss inheritance. In my case, I had every one of the permissions right, but the Applies To section was “This folder” only. It has to be This folder, subfolders and files.
  • I had to take ownership of the directory and all files within, because the files themselves had inheritance turned off.

After the above work, I restarted the service and found that I could re-bind the certificates in IIS.