Hello,

I have implemented MBAM 2.5 on my customers site and currently in testing phase. I am getting an error when trying to recover a Recovery Key from the Recovery Key ID.

I have a 3 server topology with SCCM integrated features, a database server and a Administration and Monitoring Server.

2 client are encrypted and I can see the data in the RecoveryAndHardwareCore.Keys table in the MBAM recovery and Hardware Database

When using the MBAM Self Service website I attempt to put in my recovery ID and state reason for Recovery Key (lost Pin etc)

The recovery time takes about 1 minute before returning the message "Invalid Key ID"

I have tested the recovery key this by writing the Recovery Key direct from the sql table in to the recovery screen which worked successfully and allowed me to boot.

so my issue is getting the recovery key from the self service screen.

I have done a bit of research and found the following data in the log: C:\Inetpub\Microsoft BitLocker Management Solution\Logs\Self Service website\Trace2014-07-29_10-59-54.svclog and I receive the following error

Please can anyone help with why I am getting the recovery key and why I am getting "Failed to recover key, InvalidKeyId"

Thanks

Can you tell us more about your environment?  Are you using a custom host name for your web server?  If so, are you using an A record instead of a cname?  Did you set up constrained delegation on the app pool credentials pointed at the http/<your custom hostname> SPN?

Hey Lancecr - I'm having the same issue (installed without a certificate until we get that resolved).

No custom host name for the web server. Delegation has been set up on the app pool credentials.

Also, I checked the security logs on the SQL server, and I can see the service account for the app pool logging in successfully at the same time the error is generated. A few steps before the error occurs, I also see this error:

   at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)

I also see several IIS-Configuration warnings for

Unable to find schema for config section system.serviceModel/bindings (or /client, /behaviors, etc) This section will be ignored.

There is also an error in the ISS-Configuration log (Event ID 10, user is the app pool account) - An error has occurred: Unrecognized element 'providerOption'

This is all I've been able to come up with so far, but I figured I would send it off and see if you had any thoughts or other places I could look.

Thanks!

I was just working internally with someone internally on a similar issue.  They hadn't logged into the client machine with the same account they were logged into the SSP with.  Once they logged into the client machine and had the MBAM agent wake up, they were able to successfully retrieve the key.  The SSP ties a key to users on the machine that uses that key.  Give that a try.

On the cert issue, a workaround would be to install without the cert and then go into IIS and select the cert.  In the web.configs, make sure all of the appropriate URLs for your server are using HTTPS instead of HTTP.

• Proposed as answer by WBrady1965 Tuesday, August 19, 2014 5:48 PM
• Marked as answer by Brandon RecordsModerator Friday, August 22, 2014 6:48 PM

Thanks. I thought I had logged into that machine with the same account, but I must not have. It works fine now after I tried on a machine that I verified had been logged in with the account being used for SSP.

• Edited by WBrady1965 Tuesday, August 19, 2014 5:49 PM

Hi Team,

I am also facing same issue in my environment, whenever client requests for key, it shows the error message as "Invalid Key".

And if we try with Helpdesk portal we are able to get key without issue. both portal are on same IIS server with same SQL.

Hi

I am also facing the same issue. Key recovery works fine on HelpDesk Portal but not on SSP and throws a "Invalid Key ID" error on SSP

User is accessing the SSP with the same credentials that they are logged on their laptops where the removable drive was encrypted

I have my GPO configured only for Removable drive encryption (Bitlocker to Go) and we are using MBAM 2.5 for key recovery

Is there a fix for this issue?

Thanks for your help

Hi,

Please ans this query, still we are waiting for revert...

Hi,

Please make sure that you have at least one Server 2008 DC in your environment.  If you are running 2003 DCs only, one of the calls MBAM makes fails.  The functional level can remain 2003, however.

Lance

• Edited by LancecrMicrosoft employee, Moderator Tuesday, January 20, 2015 2:02 PM edit
• Proposed as answer by Ravi Sharma Admin Wednesday, January 21, 2015 5:36 AM

Just encountering this at a customer site now.

What call? and why does it fail? and why is a 2008 Domain Controller not in the MBAM requirements?

Hi,

We do have this listed under client requirements here - https://technet.microsoft.com/en-us/library/dn645378.aspx.  Please note that this error can also be caused by having an underscore in the alias of your domain name.  We have changed the call in a future release so having a 2008 DC will not be a requirement.  We have also fixed the underscore in the domain name issue in that same release.  We have not announced any release dates however.

Hi,

We have upgraded DC but still showing the same error " <label class="warning" id="recoveryError">Invalid Key ID"</label>

MBAM launched last 8 month back still SSP is not working, we were waiting for DC upgrade now the saem get complete but old problem,

Your help would be greatly appreciated.

<label class="warning" id="recoveryError"></label>

I'm having the exact same issue.... there is another thread regarding this and it has not been resolved.

I can confirm that the user logged into the laptop is running the Selfservice portal as himself. Same issue...

Please fix or have a knowledgeable MS rep respond. This product has been out for more than a year now...

Hi Raymond, have you looked at the two answers in this thread?  One or the other should address your issue. If neither address your issue, please post your MBAM server trace logs from your inetpub folder, or reach out to CSS for support.

• Edited by LancecrMicrosoft employee, Moderator Tuesday, April 14, 2015 3:37 PM Added more info.

Raymond, I saw you on my other thread on this issue - I opened a case with Microsoft and they confirmed the underscore scenario - when the domain name (pre-Windows 2000) has an underscore in the name, Self Service Portal breaks. This is true for MBAM 2.0, 2.0 SP1 and 2.5. Why is it not officially documented anywhere is my concern. I've billed two clients now multiple hours of consulting trying everything under the sun to fix it and they told me on the phone today that this is the root of the cause. For now, they say, to use the HelpDesk portal.. because that's what we all need - users in the HelpDesk portal. 

Hi,

I have checked there is no any underscore in my domain.

Still there is no proper root cause for the same, please help me out from this issue, it will be very thankful.