Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

schannel error 36870 (extended 0x80090016)

1,111 views
Skip to first unread message

CanSpam

unread,
Sep 4, 2007, 9:26:06 AM9/4/07
to
Hello experts,
I am having the following problem on two of my freshly reinstalled servers Win2003 Standard SP1:

Event Type: Error
Event Source: Schannel
Event Category: None
Event ID: 36870
Date: 9/3/2007
Time: 5:24:45 PM
User: N/A
Computer: GUIS1
Description:
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x80090016.

I have installed a corporate CA into Machine\Trusted Root, and a server SSL certificate that is signed by the CorpCA, into Machine\Personal. They both look valid in mmc snap-in, not expired. I also tried to remove-reinstall them to no avail. I also tried to give Full Access to the Administrator and the SYSTEM on All Users/Application Data/Microsoft/Crypto/RSA/MachinKeys.

I ran certutil and it only shows some problematic Microsoft/Verisign (expired) certs, not mine corporate.
I cannot take server online to renew them.

What next in troubleshooting chain?


jwgoe...@gmail.com

unread,
Sep 5, 2007, 11:06:24 AM9/5/07
to
Try granting Everyone read access to the MachineKeys folder, in
addition to what you have already granted Administrators and System.

J Wolfgang Goerlich


Microsoft Article 278381, Default permissions for the MachineKeys
folders
http://support.microsoft.com/kb/278381

CanSpam

unread,
Sep 6, 2007, 3:34:55 AM9/6/07
to
Hi Wolfgang, your advice is insecure.
I solved the problem by granting NETWORK SERVICE the same permissions on Machinekeys folder as to SYSTEM.
Citrix XTE service is run under the NETWORK SERVICE account and it was not accepting SSL relayed connections. Now all is fine.

<jwgoe...@gmail.com> wrote in message news:1189004784.7...@y42g2000hsy.googlegroups.com...

jwgoe...@gmail.com

unread,
Sep 6, 2007, 8:10:28 AM9/6/07
to
Good to know that this can be solved by granting the lesser privilege,
thank you for the feedback.

J Wolfgang Goerlich

On Sep 6, 3:34 am, "CanSpam" <cans...@stopspam.org> wrote:
> Hi Wolfgang, your advice is insecure.
> I solved the problem by granting NETWORK SERVICE the same permissions on Machinekeys folder as to SYSTEM.
> Citrix XTE service is run under the NETWORK SERVICE account and it was not accepting SSL relayed connections. Now all is fine.
>
>
>

> <jwgoerl...@gmail.com> wrote in messagenews:1189004784.7...@y42g2000hsy.googlegroups.com...


> > Try granting Everyone read access to the MachineKeys folder, in
> > addition to what you have already granted Administrators and System.
>
> > J Wolfgang Goerlich
>
> > Microsoft Article 278381, Default permissions for the MachineKeys
> > folders
> >http://support.microsoft.com/kb/278381
>
> > On Sep 4, 9:26 am, "CanSpam" <cans...@stopspam.org> wrote:
> >> Hello experts,
> >> I am having the following problem on two of my freshly reinstalled servers Win2003 Standard SP1:
>
> >> Event Type: Error
> >> Event Source: Schannel
> >> Event Category: None
> >> Event ID: 36870
> >> Date: 9/3/2007
> >> Time: 5:24:45 PM
> >> User: N/A
> >> Computer: GUIS1
> >> Description:
> >> A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x80090016.
>
> >> I have installed a corporate CA into Machine\Trusted Root, and a server SSL certificate that is signed by the CorpCA, into Machine\Personal. They both look valid in mmc snap-in, not expired. I also tried to remove-reinstall them to no avail. I also tried to give Full Access to the Administrator and the SYSTEM on All Users/Application Data/Microsoft/Crypto/RSA/MachinKeys.
>
> >> I ran certutil and it only shows some problematic Microsoft/Verisign (expired) certs, not mine corporate.
> >> I cannot take server online to renew them.
>

> >> What next in troubleshooting chain?- Hide quoted text -
>
> - Show quoted text -


0 new messages