IIS Admin Service unable to start - How and Why it can happen?

Published Jul 02 2021 09:59 PM 2,027 Views
Microsoft

We often come across issue where IIS admin service fails to start with multiple error codes and often error codes points to machine key corruption..

 sharing one scenario below:

The IIS Admin Service terminated with “Key not valid for use in specified state “ which clearly means NTE_BAD_KEY_STATE. The machine key starting with c2319 for IIS admin service is corrupted

 

How it works?

 

--The IIS Admin Service attempts to load the IIS metabase, metabase.xml into memory upon startup.

--To do this, it has to be able to decrypt certain parts of the metabase, using a specific RSA machine key. if for some reason  its unable to decrypt   service cannot start

 

--The root cause is that the IISAdmin service cannot read the encrypted sections of the IIS Configuration file.

 

Corruption can happen due to multiple reasons

  • By default IIS Machine Key is In  C:\documents and settings\all users\application data\microsoft\crypto\RSA\MachineKeys folder. If  there is any change like compression/permission change for this path we can see  issue
  • AV /encryption software scanning file
  • application like doubletake.exe touching machine key files on reboot
  • abrupt restart/shutdown when the MachineKeys files were accessed
  •  Metabase.xml is corrupt (due to reasons listed above)
  • permission alternation of the machine key folder

 

We have seen usually patch /windows update  has always been the victim of such issues.. We always suggest below practice   so that “patch does not become victim of any issue”

  1.             Before patching , reboot the server
  2.             Once the server is up, check if all required application is working as expected
  3.             Install patches
  4.             Reboot the server
  5.             check applications again

 

 

It is difficult for us to tell why the Machine Key file gets  corrupted without any data. Audtiing can help us  to provide more clues in case similar problem occurred again in future.

1 Enable auditing policy on the problematic IIS server:

  1. Click Start, click Run, type Gpedit.msc, and then click OK.
  2. Under Local Computer Policy, expand Computer Configuration, and then expand Windows Settings.
  3. Expand Security Settings, expand Local Policies, and then click Audit Policy.
  4. In the details pane, double-click Audit object access
  5. Click to select the Success check box, and then click to select the Failure check box.
  6. Click OK.

 

 

2 Enable auditing on the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder.

  1. Right click the folder C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys and choose "Properties".
  2. Switch to "Security" tab, and click "Advanced" button.
  3. Switch to "Auditing" tab, and click "Add".
  4. Enter "Everyone" and then choose "OK".
  5. Check following operations, then choose "OK".
  6. Traverse Folder/Execute File
  7. Create Files/Write Data
  8. Create Folders/Append Data
  9. Write Attributes
  10. Write Extended Attributes
  11. Delete Subfolders or files
  12. Delete
  13. Change Permissions
  14. Take Ownership
  15. Choose "OK" to confirm the change.

 

 

%3CLINGO-SUB%20id%3D%22lingo-sub-2512936%22%20slang%3D%22en-US%22%3EIIS%20Admin%20Service%20unable%20to%20start%20-%20How%20and%20Why%20it%20can%20happen%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2512936%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20often%20come%20across%20issue%20where%20IIS%20admin%20service%20fails%20to%20start%20with%20multiple%20error%20codes%20and%20often%20error%20codes%20points%20to%20machine%20key%20corruption..%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3Bsharing%20one%20scenario%20below%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20IIS%20Admin%20Service%20terminated%20with%20%E2%80%9CKey%20not%20valid%20for%20use%20in%20specified%20state%20%E2%80%9C%20which%20clearly%20means%20NTE_BAD_KEY_STATE.%20The%20machine%20key%20starting%20with%20c2319%20for%20IIS%20admin%20service%20is%20corrupted%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20it%20works%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E--The%20IIS%20Admin%20Service%20attempts%20to%20load%20the%20IIS%20metabase%2C%20metabase.xml%20into%20memory%20upon%20startup.%3C%2FP%3E%0A%3CP%3E--To%20do%20this%2C%20it%20has%20to%20be%20able%20to%20decrypt%20certain%20parts%20of%20the%20metabase%2C%20using%20a%20specific%20RSA%20machine%20key.%20if%20for%20some%20reason%26nbsp%3B%20its%20unable%20to%20decrypt%26nbsp%3B%26nbsp%3B%20service%20cannot%20start%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E--The%20root%20cause%20is%20that%20the%20IISAdmin%20service%20cannot%20read%20the%20encrypted%20sections%20of%20the%20IIS%20Configuration%20file.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ECorruption%20can%20happen%20due%20to%20multiple%20reasons%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EBy%20default%20IIS%20Machine%20Key%20is%20In%20%26nbsp%3BC%3A%5Cdocuments%20and%20settings%5Call%20users%5Capplication%20data%5Cmicrosoft%5Ccrypto%5CRSA%5CMachineKeys%20folder.%20If%20%26nbsp%3Bthere%20is%20any%20change%20like%20compression%2Fpermission%20change%20for%20this%20path%20we%20can%20see%26nbsp%3B%20issue%3C%2FLI%3E%0A%3CLI%3EAV%20%2Fencryption%20software%20scanning%20file%3C%2FLI%3E%0A%3CLI%3Eapplication%20like%20doubletake.exe%20touching%20machine%20key%20files%20on%20reboot%3C%2FLI%3E%0A%3CLI%3Eabrupt%20restart%2Fshutdown%20when%20the%20MachineKeys%20files%20were%20accessed%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3BMetabase.xml%20is%20corrupt%20(due%20to%20reasons%20listed%20above)%3C%2FLI%3E%0A%3CLI%3Epermission%20alternation%20of%20the%20machine%20key%20folder%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20seen%20usually%20patch%20%2Fwindows%20update%26nbsp%3B%20has%20always%20been%20the%20victim%20of%20such%20issues..%20We%20always%20suggest%20below%20practice%26nbsp%3B%26nbsp%3B%20so%20that%20%E2%80%9Cpatch%20does%20not%20become%20victim%20of%20any%20issue%E2%80%9D%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Before%20patching%20%2C%20reboot%20the%20server%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Once%20the%20server%20is%20up%2C%20check%20if%20all%20required%20application%20is%20working%20as%20expected%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Install%20patches%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Reboot%20the%20server%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20check%20applications%20again%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20is%20difficult%20for%20us%20to%20tell%20why%20the%20Machine%20Key%20file%20gets%20%26nbsp%3Bcorrupted%20without%20any%20data.%20Audtiing%20can%20help%20us%20%26nbsp%3Bto%20provide%20more%20clues%20in%20case%20similar%20problem%20occurred%20again%20in%20future.%3C%2FP%3E%0A%3CP%3E1%20Enable%20auditing%20policy%20on%20the%20problematic%20IIS%20server%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EClick%20Start%2C%20click%20Run%2C%20type%20Gpedit.msc%2C%20and%20then%20click%20OK.%3C%2FLI%3E%0A%3CLI%3EUnder%20Local%20Computer%20Policy%2C%20expand%20Computer%20Configuration%2C%20and%20then%20expand%20Windows%20Settings.%3C%2FLI%3E%0A%3CLI%3EExpand%20Security%20Settings%2C%20expand%20Local%20Policies%2C%20and%20then%20click%20Audit%20Policy.%3C%2FLI%3E%0A%3CLI%3EIn%20the%20details%20pane%2C%20double-click%20Audit%20object%20access%3C%2FLI%3E%0A%3CLI%3EClick%20to%20select%20the%20Success%20check%20box%2C%20and%20then%20click%20to%20select%20the%20Failure%20check%20box.%3C%2FLI%3E%0A%3CLI%3EClick%20OK.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2%20Enable%20auditing%20on%20the%20C%3A%5CDocuments%20and%20Settings%5CAll%20Users%5CApplication%20Data%5CMicrosoft%5CCrypto%5CRSA%5CMachineKeys%20folder.%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ERight%20click%20the%20folder%20C%3A%5CDocuments%20and%20Settings%5CAll%20Users%5CApplication%20Data%5CMicrosoft%5CCrypto%5CRSA%5CMachineKeys%20and%20choose%20%22Properties%22.%3C%2FLI%3E%0A%3CLI%3ESwitch%20to%20%22Security%22%20tab%2C%20and%20click%20%22Advanced%22%20button.%3C%2FLI%3E%0A%3CLI%3ESwitch%20to%20%22Auditing%22%20tab%2C%20and%20click%20%22Add%22.%3C%2FLI%3E%0A%3CLI%3EEnter%20%22Everyone%22%20and%20then%20choose%20%22OK%22.%3C%2FLI%3E%0A%3CLI%3ECheck%20following%20operations%2C%20then%20choose%20%22OK%22.%3C%2FLI%3E%0A%3CLI%3ETraverse%20Folder%2FExecute%20File%3C%2FLI%3E%0A%3CLI%3ECreate%20Files%2FWrite%20Data%3C%2FLI%3E%0A%3CLI%3ECreate%20Folders%2FAppend%20Data%3C%2FLI%3E%0A%3CLI%3EWrite%20Attributes%3C%2FLI%3E%0A%3CLI%3EWrite%20Extended%20Attributes%3C%2FLI%3E%0A%3CLI%3EDelete%20Subfolders%20or%20files%3C%2FLI%3E%0A%3CLI%3EDelete%3C%2FLI%3E%0A%3CLI%3EChange%20Permissions%3C%2FLI%3E%0A%3CLI%3ETake%20Ownership%3C%2FLI%3E%0A%3CLI%3EChoose%20%22OK%22%20to%20confirm%20the%20change.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2512936%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20often%20come%20across%20issue%20where%20IIS%20admin%20service%20fails%20to%20start%20with%20multiple%20error%20codes%20and%20often%20error%20codes%20points%20to%20machine%20key%20corruption..%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎Jul 02 2021 09:59 PM
Updated by: