We often come across issue where IIS admin service fails to start with multiple error codes and often error codes points to machine key corruption..
sharing one scenario below:
The IIS Admin Service terminated with “Key not valid for use in specified state “ which clearly means NTE_BAD_KEY_STATE. The machine key starting with c2319 for IIS admin service is corrupted
How it works?
--The IIS Admin Service attempts to load the IIS metabase, metabase.xml into memory upon startup.
--To do this, it has to be able to decrypt certain parts of the metabase, using a specific RSA machine key. if for some reason its unable to decrypt service cannot start
--The root cause is that the IISAdmin service cannot read the encrypted sections of the IIS Configuration file.
Corruption can happen due to multiple reasons
We have seen usually patch /windows update has always been the victim of such issues.. We always suggest below practice so that “patch does not become victim of any issue”
It is difficult for us to tell why the Machine Key file gets corrupted without any data. Audtiing can help us to provide more clues in case similar problem occurred again in future.
1 Enable auditing policy on the problematic IIS server:
2 Enable auditing on the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.