Keyset does not exist / Identity invalid

Question

Note: I've found several questions similar on here, but the one's that were resolved did not work for me. So I thought I'd open a new question.

I rebooted our server 2012 box, which hosts our new .net applications. After doing so, I started receiving a 503 error. Upon investigation, it seemed like an identity problem.

Before going much further, I should state that this account has worked for several months now. I've rebooted before, and everything started fine.

So I'm getting the (quite common) 5059, 5057, and 5021 errors in the log. They boil down to this:

The identity of application pool SVFileUpload is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

I thought I would just ensure the password and account were correct, so I go to the application pool, select identity-> custom and ensure it's set up right. I get an error:

There was an error while performing this operation. Details: Keyset does not exist (Exception from HRESULT: 0x80090016)

This was strange to me, so I tried setting the app pool to a built in account, and it worked fine. I get this error anytime I try to set to a custom account. Also, no app pools that are using custom accounts will run.

I googled a bit, unsure which error was the one I needed to track. I have tried:

registering the account on the command line via the aspnet_ tool
Making sure the user was in the IIS_IUSRS group
changing the permissions on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys file(s)
adding a completely new user and trying to set an app pool to that users account

There was a couple other random things I tried from googling but I don't remember.

This error doesn't make sense to me, and it seems random. I need help figuring out 1) why I can't set an app pool to a custom account and 2) why the identity isn't working for my applications anymore

-Edit
I recently removed and re-added the user account I've been working with. I think that solves that problem. The problem remaining is I can't update the application pool because of the "keyset does not exist" error.

score 26 · Answer 1 · edited Sep 06 '19 at 13:36

26

I ran the iisreset command and my problem was sovled

edited Sep 06 '19 at 13:36

skovy

5,430
2
20
34

answered Sep 06 '19 at 03:44

hossein bakhtiari

261
3
2

1

This solved the issue for me and saved me from deleting files and registry keys as being recommended in other quoted solutions. Try this first! – Jeremy F May 04 '20 at 16:06
1

Try this First! I recommend this before you delete files. It might work for you too. It was an easy fix for me but make sure you run as administrator.. – Blake Aug 28 '20 at 12:15
Worked for me on a fresh install of Windows 11. – user2444499 Aug 15 '22 at 02:08
Worked on a fresh Windows Server 2022 installation too. – phifi Jul 05 '23 at 06:46

score 21 · Accepted Answer · edited May 27 '19 at 12:23

21

I found a couple of links that led me to a solution.

In c:\windows\system32\inetsrv\config\applicationHost.config I removed all the configProtectedData entries.

Then I removed everything in %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys

I ran iissetup.exe /install SharedLibraries from the inetsrv directory, which resulted in a "Failed = 0x80070005"

I then was able to set up my application pools as if nothing happened.

See also https://techcommunity.microsoft.com/t5/IIS-Support-Blog/Keyset-does-not-exist-exception-from-HRESULT-0x8009000D-or-or/ba-p/342955 for a more detailed explanation

edited May 27 '19 at 12:23

Florian Winter

4,750
1
44
69

answered Jul 02 '14 at 19:50

loctrice

2,454
1
23
34

I was skeptical at first about the steps, but this literally worked for me after completing all steps. – Min Oct 03 '15 at 06:06
1

Unfortunately, this didn't work for me. However my scenario is a bit different. I also have Windows 2012, but in my case I had gone from a workgroup to join a domain. However, I got the same result as you with the 0x80090016 error. After following the instructions above (and restarting www service just for good measure) I get a different error when trying to apply the app pool settings... **Value does not fall within the expected range.** – ebol2000 Jan 29 '16 at 16:58
3

So I had the same issue as you ebol2000. I had this "Value does not fall within the expected range." each time I tried to apply the app pool settings. After all the trial and error, I have found if you set your custom account and accept until you get the error, I went back to the custom account, clicked 'Set' then canceled that as to not overwrite the credentials. I then clicked 'OK' then 'OK' again and it seemed to work. I did this 4 other times and it resolved each time. (Side note, I even matched the Capitalization of my username, if that helps) – Dean Marsden Oct 07 '16 at 09:48
After I followed the steps here I started to receive another error..."Value does not fall within the expected range" There is a post here in Stack Overflow: http://stackoverflow.com/questions/30088486/iis-8-custom-app-pool-id-value-does-not-fall-within-the-expected-range Following this afterwards helps resolve the issue. Server is Windows 2012 R2. – Vin Apr 10 '17 at 19:47
@Dean Marsden - wow! I followed your treat and it worked!!!!! This is so strange! You should post it as an answer. I just wasted 3 hours until I read your comment! – Yini May 21 '19 at 06:16
This advice sounds dangerous without an explanation WHY this works, what the error actually means, what machine keys are and what the suggested command does, at least by a link to official documentation. – Florian Winter May 27 '19 at 12:15
I added a link to an article written by Microsoft, so please disregard my previous comment. – Florian Winter May 27 '19 at 13:04
Just FYI that link was feb of 2019 and this question was a few years prior. – loctrice May 28 '19 at 18:34
@Yini I am glad that is worked. But as Florian Winter suggested, it is not the best practice to solve the issue haha. If you are in a hurry, it will certainly help :D – Dean Marsden May 30 '19 at 11:42

score 4 · Answer 3 · answered Mar 28 '17 at 13:03

4

I had the same error-message because my user was not member of the "Local Administrators" group.

I was able to connect to the server because I was member of the "Remote Desktop Users" group.

I was able to open IIS Management and to change settings, but when I clicked on the "OK" or "Save" button - I got the "Keyset does not exist" - error message.

So my advice - check if you are an administrator.

answered Mar 28 '17 at 13:03

Markus1980Wien

471
1
5
15

I had a similar experience. When I try to do an automated deploy (VSTS Release), I get the error above. In that case, the command is executed by a local service on the box which is tied to an admin account. When I RDP into the box and run the AppCmd.exe myself, I also get that same error. But when I open a command prompt in **administrative** mode, it works fine. So it does seem to be security related, but something more than just being an administrator. – Wayne S. Jun 01 '18 at 21:25
I'm experiencing the same with VSTS Release. I gave everyone full control to MachineKeys just to see if that would make a difference. My Bad just reset permissions on the MachineKeys Folder to Everyone and it's working. – Zac Dec 10 '18 at 13:40
I solved this by including a new group to my user that I was logged into Windows Server 2012. My default user was Administrator. So I went to computer management -> Local Users and Groups -> User. Selected Administrator -> properties -> member of and included IIS_IUSRS group. – Jorge Mauricio May 08 '21 at 02:34

score 1 · Answer 4 · answered Aug 22 '17 at 17:29

1

I tried to change the Identity of Application Pool on a remote server and it failed with the above error. I RDP into the remote machine and then tried to update the Identity using local IIS Manager and it worked.

answered Aug 22 '17 at 17:29

Sundeep

2,035
2
23
38

score 1 · Answer 5 · answered Sep 26 '17 at 22:25

For anyone on Windows server 2008 stumbling into this error: this may occur when you are managing the IIS instance from another server using the remote management feature ('connect to another computer').

I resolved by managing the IIS instance from the server itself. https://support.microsoft.com/en-hk/help/977754/-keyset-does-not-exist-error-message-when-you-try-to-change-the-identi

score 0 · Answer 6 · answered Jan 16 '20 at 09:23

0

Since I am working on a fresh server I was able to uninstall the IIS Windows Feature and then re-add it.

I was able to change the App Pool Identity after that with no issues.

answered Jan 16 '20 at 09:23

Dave

351
3
12

score -1 · Answer 7 · answered Jun 18 '15 at 05:56

-1

delete the rsa found here C:\Users\usernamn\AppData\Roaming\Microsoft\Crypto\RSA MAKE A BACKUP JUST TO BE SURE WORKED FOR ME

answered Jun 18 '15 at 05:56

bob

1

5

Could you please elaborate more your answer adding a little more description about the solution you provide? – abarisone Jun 18 '15 at 06:08

Keyset does not exist / Identity invalid

7 Answers7