Blog Post

IIS Support Blog
4 MIN READ

Keyset does not exist ( exception from HRESULT : 0x8009000D) or or 0x80090016 or 0x80090005 while ch

Jawahar Ganesh S's avatar
Feb 15, 2019

I have seen lots of people running into this specific issue in IIS 7+ and versions

When we try to change the application pool identity of an application pool to a domain account we get the below error while committing the changes.

There was an error while performing this operation.

Details:

Keyset does not exist ( exception from HRESULT : 0x8009000D)

 

The error code might change accordingly but you will get the text as keyset does not exist while trying to update the application pool identity with a custom account or while trying to specify a connect as user in the basic settings of a site.

You might also get the below error codes

0x80090016

0x80090005

Why am I seeing this issue?

This issue happens when your IIS specific machine keys are corrupt or missing.

Your machine keys might go corrupt if there was an improper shutdown of the machine or the machine was cloned from an existing image or if there was a system crash.

Its always a good idea to have a backup of the machine keys.

Before I explain in detail what goes wrong internally first lets discuss about the different machine keys required in IIS for encryption. The location of the key depends on the operating system is basically C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys from windows 2008 R2 and onwards

6de9cb26d2b98c01ec4e9e8b34824aa2_GUID      iisConfigurationKey

d6d986f09a1ee04e24c949879fdb506c_GUID         NetFrameworkConfigurationKey

76944fb33636aeddb9590521c2e8815a_GUID        iisWasKey

The above 3 keys are used by IIS 7 and higher versions for encryption of the configuration.

The pertaining configuration info having information about these keys in IIS config looks something like below and will be present in C:\Windows\System32\inetsrv\config\applicationHost.config

<configProtectedData>

<providers>

<add name="IISWASOnlyRsaProvider" type="" description="Uses RsaCryptoServiceProvider to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useMachineContainer="true" useOAEP="false" />

<add name="AesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisConfigurationKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="value" />

<add name="IISWASOnlyAesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="value " />

</providers>

</configProtectedData>

IIS 6.0 uses a particular key c2319c42033a5ca7f44e731bfd3fa2b5_GUID to do the encryption. If you are seeing IIS admin service start up issue on an IIS 7 machine or IIS 6 machine, first thing we would check is if the metabase.xml is corrupted or if c2319c42033a5ca7f44e731bfd3fa2b5_GUID is corrupted.

In IIS any sensitive data like passwords won’t be stored in plain text and will have to be encrypted before it is stored in the config and get decrypted accordingly when needed.

So in case if the above machine keys are corrupted the configuration in IIS and the keys go out of sync and any encryption or decryption task will start failing. That is the reason you might see the above error while changing the application pool identity to a domain or custom account. If you change the application pool identity to an account like local system or network service or service accounts which doesn’t need password and hence no encryption the task won’t fail.

To confirm that this is the issue with machine key corruption you can try changing connect-as account for any website or virtual directory in IIS to a custom account and you will see the same error.

How to fix the issue?

Most of the times we suggest to rebuild or reinstall IIS. But what if reinstalling IIS is not an option?

Let’s see if there is something else we can do before we end up reinstalling IIS.

Before you proceed with the below steps it’s better to take backup of the IIS configuration so that you need not configure everything from the scratch in case you have to reinstall IIS.

To take backup of the IIS configuration install msdeploy from http://www.iis.net/downloads/microsoft/web-deploy

Once you install web deploy and reopen the inetmgr console you will see the option to export a server package and the root node as below.

Click on Export server package.

You would want to encrypt the configuration with your own password. To do that Click on Advanced Settings.

Enter the encryption password. You would want to remember this password while importing the package.

Click on Ok and Next.

Save the package or zip file which you can use to import later if needed

To import the package you will have to follow similar steps by clicking on Import package at the root node of IIS and then entering the encryption password.

How to work around the machine key corruption?

So enough of why and Now coming back to the main issue as to how we can fix the machine key corruption and the below errors.

There was an error while performing this operation.

Details:

Keyset does not exist ( exception from HRESULT : 0x8009000D)

We can regenerate these machine keys without reinstalling IIS completely. To do that follow the below steps.

1) Rename the below files or move it to a different location from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\

6de9cb26d2b98c01ec4e9e8b34824aa2_GUID      iisConfigurationKey

d6d986f09a1ee04e24c949879fdb506c_GUID   NetFrameworkConfigurationKey

76944fb33636aeddb9590521c2e8815a_GUID        iisWasKey

2) Backup applicationhost.config, then delete everything inside the tags below in applicationhost.config. Delete the contents within <configProtectedData> or <providers>.
<configProtectedData>
<providers>
...
</providers>
</configProtectedData>

3) Open a command prompt in admin mode and run the below command

"%windir%\system32\inetsrv\iissetup.exe /install SharedLibraries"

The above steps should regenerate the machine keys and also the configprotecteddata section in applicationhost.config

If this doesn’t help I guess I think most preferable option would be to reinstall IIS to fix the corruption.

Hope this helps J

 

Author: Chiranth Ramaswamy

Published Feb 15, 2019
Version 1.0
  • JHerschel's avatar
    JHerschel
    Iron Contributor

    Thank you,

    This helped us fix an error after we cloned servers...

  • Sachin_Khartode's avatar
    Sachin_Khartode
    Copper Contributor

    Issue fixed for me by making below changes:

    1. Regenerated Keys in IIS server level and application level.

    2. Re-run the build agent and upgrade the targets in devOps deployment groups.

    3. provided full access permisson for roles IUser & IISUser & ServerAdminUser on C:\inetpub\wwwroot\myapp

    and C:\ProgramData\Microsoft\Crypto\RSA

    and C:\Windows\System32\inetsrv\Config

  • BrijendraGautam's avatar
    BrijendraGautam
    Copper Contributor

    Great Article, I've followed all the steps and it works.
    But in the last step after running "%windir%\system32\inetsrv\iissetup.exe /install SharedLibraries"  it throws error:

    The command will return the following error Failed = 0x80070005.

     

    So I searched the web and found https://support.boyum-it.com/hc/en-us/articles/4405431430417-B1WebDashboard-installation-There-was-an-error-during-the-IIS-configuration-process-Your-original-IIS-configuration-will-be-restored

     

    Even with this error, new files will be created and the applicationHost.config will get new data in it, and you should hopefully be able to change the AppPool account without issue

  • Simpuhl's avatar
    Simpuhl
    Copper Contributor

    I am trying to do this after migrating from hyper-v to vmware (clone) but its not working. JHerschel , was this all you did?

  • Marc_Garavaglia's avatar
    Marc_Garavaglia
    Copper Contributor

    Bonjour,

     

    Suite à la migration d'une VM avec vmware converter nous avion exactement ce problème.

    Merci beaucoup pour votre article.

    Cela à résolut notre problème,

     

    Cordialement.

  • Great article, helped me several times. Just another point, please re-encrypt all the sensitive sections like password again after creating new machine keys (ex - find password in ApplicationHost.config).

    This is required as the password would have been encrypted with previous machine key hence the need of re-encryption.