Hey all, here is the question of the day!

We have 2 webservers. We setup SSL encyption about 2 months ago but I was
not here to test it out. The certificates seem to be installed okay.
However, when you type https://localhost/test.aspx you get "Page can not be
displayed". However you take the "s" off and you get the page just fine. I
run SSLDiag's and get this error, and it is the only error:

#WARNING: You have a private key that corresponds to this certificate but
CryptAcquireCertificatePrivateKey failed'.

I have been doing some research and someone suggested to try this to fix the
problem. This is my production environment, so I need a reason why this is
going to fix the problem and what this dependancy allows what service to
access what? Basically, when I make this change and it fixes it, why did
this happen? Also if there is another fix with this problem, please advise!

-----------------------

To resolve this issue try following steps.

1.Set the correct permission for Machinekey folder C:\Documents and
Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

2.Add administrator and system Full Control Permissions.

3.Restart IIS

HTH,

Thanks
Ganesh Anekar
Microsoft Developer Support
Internet Information Server

And then the repsonse....

Just one hint.
You should check 'Replace permission entries on all chield objects with
entries shown here that apply to child objects' check box on the 'Advanced
Security settings' dialog.
If this check box wasn't selected while applying the new security
permissions, the following errors will appear in event log during first
access of SSLed site:
- in System log:
A fatal error occurred when attempting to access the SSL server credential
private key. The error code returned from the cryptographic module is
0x80090016.
- in Security log there will be a lot of 'Failed Audit' events for SYSTEM
account while accessing files inside MachineKeys folder.

Thanks,
Vlad

-----------------------

Here is an update on the troubleshooting efforts:

Some of the keys in the MachineKeys folder have a administrator ACL'ed on
them.

-- When that user logs onto the physical webserver he is able to have SSL
communications.
-- When that user logs onto another webserver or client workstation he is
not able to have SSL communications.
-- I am an administrator on the box and when I log onto the pysical
webserver I do not have SSL communications on the box. The same happens on
remote computers aswell.

I have given the MachineKeys folder FULL CONTROL to Adminstrators and SYSTEM
and these inherite down.

Is this a private key issue?

Thanks,

Greg