🔍 Overview
If you've encountered the following error in your Windows Event Viewer:
“The IIS Admin Service service terminated with the following service-specific error: Invalid Signature”
you're likely dealing with a cryptographic issue affecting the IIS metabase. This blog post walks you through the root causes, diagnostics, and step-by-step resolutions to restore service functionality.
🧠 What Causes This Error?
This error typically appears as Event ID 7024 and is often triggered by:
- Corruption or deletion of the machine key used by IIS.
- Improper SSL certificate updates.
- Misconfigured permissions on cryptographic folders.
The IIS Admin Service relies on a secure machine key (usually a file starting with c23) stored in:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
If this key is missing or invalid, IIS cannot decrypt its configuration, resulting in the “Invalid Signature” error.
🧪 Diagnostic Steps
- Check Event Viewer
Look for Event ID 7024 under System logs. - Verify Machine Key Presence
Navigate to the MachineKeys folder and check for a file starting with c23. - Audit Permissions
Ensure SYSTEM and Administrators have Full Control on the MachineKeys folder.
🛠️ Resolution Steps
✅ Option 1: Restore from Backup
If you have a backup of the c23* file:
- Replace the corrupted file.
- Restart the IIS Admin Service.
🔄 Option 2: Reinstall IIS 6 Metabase Compatibility
If no backup is available:
- Delete the corrupted c23* file.
- Open Server Manager → Manage Optional Features.
- Uninstall IIS 6 Metabase Compatibility.
- Reboot the server.
- Reinstall the feature to regenerate the machine key.
🔐 Option 3: Reset Permissions
Ensure the following permissions on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys:
- SYSTEM: Full Control
- Administrators: Full Control
💡 Pro Tips
- Always back up the MachineKeys folder before making changes.
- Consider enabling IIS Configuration Backup for future recovery.
Microsoft