Event 36780 schannel in combination with sec event 5061
Hi,
I receive event 36780 schannel with error code 0x8009030d and state 1001 in the system log
At the same time event 5061 occurs:
SubjectUserSid
S-1-5-18
SubjectUserName
HP$
SubjectDomainName
FED
SubjectLogonId
0x3e7
ProviderName
Microsoft Software Key Storage Provider
AlgorithmName
%%2432
KeyName
3b23acc6f713794234b970f66ff4a5a5_2d22bfa6-e016-401c-82d5-36610317430b
KeyType
%%2500
Operation
%%2480
ReturnCode
0x80090016
The first question is how to find or identify the certificate. I've tried certutil and findprivatekey but I don't know for sure which part of the KeyName in the eventlog is the thumbprint.
How can I solve the error? When looking at the computer certificate snap In, I cannot find expired certificates or problem in the auth chain.
Thanks...
June 13th, 2011 11:10am
Luxus Chris,
what is this impacting? And please post the actual event IDs adn Sources.
Also, have a look at this: http://support.microsoft.com/kb/841798
*alex
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2011 11:15am
Hi ,
Please provide your domain setup , which includes the DC , Certificate server version, clients used ,also paste the correspoinding event id's for further troubleshooting.
June 13th, 2011 10:02pm
Hi,
the actual event IDs and sources are:
Protokollname: System
Quelle: Schannel
Datum: 13.06.2011 16:54:07
Ereignis-ID: 36870
Aufgabenkategorie:Keine
Ebene: Fehler
Schlüsselwörter:
Benutzer: SYSTEM
Computer: Hp2607.FOEDERATION.de
Beschreibung:
Schwerwiegender Fehler beim Zugriff auf den privaten Schlüssel der Anmeldeinformationen Server für SSL. Der vom kryptografischen Modul zurückgegebene Fehlercode lautet 0x8009030d. Der interne Fehlerstatus ist 10001.
Ereignis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
<EventID>36870</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2011-06-13T14:54:07.663750700Z" />
<EventRecordID>37718</EventRecordID>
<Correlation />
<Execution ProcessID="576" ThreadID="1632" />
<Channel>System</Channel>
<Computer>Hp2607.FOEDERATION.de</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Type">Server</Data>
<Data Name="ErrorCode">0x8009030d</Data>
<Data Name="ErrorStatus">10001</Data>
</EventData>
</Event>
Protokollname: Security
Quelle: Microsoft-Windows-Security-Auditing
Datum: 13.06.2011 16:54:07
Ereignis-ID: 5061
Aufgabenkategorie:Systemintegrität
Ebene: Informationen
Schlüsselwörter:Überwachung gescheitert
Benutzer: Nicht zutreffend
Computer: Hp2607.FOEDERATION.de
Beschreibung:
Kryptografievorgang.
Antragsteller:
Sicherheits-ID: SYSTEM
Kontoname: HP2607$
Kontodomäne: FOEDERATION
Anmelde-ID: 0x3e7
Kryptografische Parameter:
Anbietername: Microsoft Software Key Storage Provider
Algorithmusname: Nicht verfügbar.
Schlüsselname: 3b23acc6f713794234b970f66ff4a5a5_2d22bfa6-e016-401c-82d5-36610317430b
Schlüsseltyp: Benutzerschlüssel.
Kryptografischer Vorgang:
Vorgang: Schlüssel öffnen.
Rückgabecode: 0x80090016
Ereignis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5061</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2011-06-13T14:54:07.663750700Z" />
<EventRecordID>694769</EventRecordID>
<Correlation />
<Execution ProcessID="576" ThreadID="696" />
<Channel>Security</Channel>
<Computer>Hp2607.FOEDERATION.de</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">HP2607$</Data>
<Data Name="SubjectDomainName">FOEDERATION</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>
<Data Name="AlgorithmName">%%2432</Data>
<Data Name="KeyName">3b23acc6f713794234b970f66ff4a5a5_2d22bfa6-e016-401c-82d5-36610317430b</Data>
<Data Name="KeyType">%%2500</Data>
<Data Name="Operation">%%2480</Data>
<Data Name="ReturnCode">0x80090016</Data>
</EventData>
</Event>
The domain (and forest) functional level is set to 2003R2. The domain consists of 2 DCs, one 2003R2 (which provides the enterprise PKI) and a 2008R2 DC (with the events posted). The events only occurs on the 2008R2 Server.
TTBOMK, there are no further events that are related to the current problem. As a result, WSUS (which uses SSL) does not work anymore. By deleting the HTTPS Binding in the IIS and reassigning the certificate, and finally restarting all related services,
I was able to fix that problem but after I restarted the Server, all problems reoccur.
I've used FindPrivateKey and certutil to locate the corresponding certificate but to no effect. I don't know if the keyName 3b23acc6f713794234b970f66ff4a5a5_2d22bfa6-e016-401c-82d5-36610317430b relates to a real certificate and if so how to find the thumbprint
of the cert. in that string.
Thanks a lot.
KR
Chris
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2011 4:54am
Hi,
the actual event IDs and sources are:
Protokollname: System
Quelle: Schannel
Datum: 13.06.2011 16:54:07
Ereignis-ID: 36870
Aufgabenkategorie:Keine
Ebene: Fehler
Schlüsselwörter:
Benutzer: SYSTEM
Computer: Hp2607.FOEDERATION.de
Beschreibung:
Schwerwiegender Fehler beim Zugriff auf den privaten Schlüssel der Anmeldeinformationen Server für SSL. Der vom kryptografischen Modul zurückgegebene Fehlercode lautet 0x8009030d. Der interne Fehlerstatus ist 10001.
Ereignis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
<EventID>36870</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2011-06-13T14:54:07.663750700Z" />
<EventRecordID>37718</EventRecordID>
<Correlation />
<Execution ProcessID="576" ThreadID="1632" />
<Channel>System</Channel>
<Computer>Hp2607.FOEDERATION.de</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Type">Server</Data>
<Data Name="ErrorCode">0x8009030d</Data>
<Data Name="ErrorStatus">10001</Data>
</EventData>
</Event>
Protokollname: Security
Quelle: Microsoft-Windows-Security-Auditing
Datum: 13.06.2011 16:54:07
Ereignis-ID: 5061
Aufgabenkategorie:Systemintegrität
Ebene: Informationen
Schlüsselwörter:Überwachung gescheitert
Benutzer: Nicht zutreffend
Computer: Hp2607.FOEDERATION.de
Beschreibung:
Kryptografievorgang.
Antragsteller:
Sicherheits-ID: SYSTEM
Kontoname: HP2607$
Kontodomäne: FOEDERATION
Anmelde-ID: 0x3e7
Kryptografische Parameter:
Anbietername: Microsoft Software Key Storage Provider
Algorithmusname: Nicht verfügbar.
Schlüsselname: 3b23acc6f713794234b970f66ff4a5a5_2d22bfa6-e016-401c-82d5-36610317430b
Schlüsseltyp: Benutzerschlüssel.
Kryptografischer Vorgang:
Vorgang: Schlüssel öffnen.
Rückgabecode: 0x80090016
Ereignis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5061</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2011-06-13T14:54:07.663750700Z" />
<EventRecordID>694769</EventRecordID>
<Correlation />
<Execution ProcessID="576" ThreadID="696" />
<Channel>Security</Channel>
<Computer>Hp2607.FOEDERATION.de</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">HP2607$</Data>
<Data Name="SubjectDomainName">FOEDERATION</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>
<Data Name="AlgorithmName">%%2432</Data>
<Data Name="KeyName">3b23acc6f713794234b970f66ff4a5a5_2d22bfa6-e016-401c-82d5-36610317430b</Data>
<Data Name="KeyType">%%2500</Data>
<Data Name="Operation">%%2480</Data>
<Data Name="ReturnCode">0x80090016</Data>
</EventData>
</Event>
The domain (and forest) functional level is set to 2003R2. The domain consists of 2 DCs, one 2003R2 (which provides the enterprise PKI) and a 2008R2 DC (with the events posted). The events only occurs on the 2008R2 Server.
TTBOMK, there are no further events that are related to the current problem. As a result, WSUS (which uses SSL) does not work anymore. By deleting the HTTPS Binding in the IIS and reassigning the certificate, and finally restarting all related services,
I was able to fix that problem but after I restarted the Server, all problems reoccur.
I've been able to locate the cert String (keyName in Eventlog) in C:\Users\MyUser\AppData\Roaming\Microsoft\Crypto\SID...
But, unfortunetly, i couldn't locate the corresponding cert in the user cert mmc snap-in. Any idea how i can find that certificate?
Thanks a lot.
KR
Chris
June 14th, 2011 11:45am
Hi,
I just wanted to annunciate good news, I have resolved the error. For documentation reasons I will record the neccessary steps:
1. Make sure the ACL of the Cryto folder complies with the MS recommendation, inherit all settings to subfolders and files, replace ACLs of the sub containers
2. The event log message XML node KeyName of the certificate can be used to identify the file in the users crypto folder
3. Via certutil -store my you can identify the certificate that matches to the KeyName, then you can use the certificate MMC (ir the via shell) to check the corresponding cert.
4. In my case I could not find any error such as expiration or invalid chain etc... However, I decided to renew with a new key and rebooted the server and the error disappeared.
Why that specific error suddenly appeared or whether there was a problem with that cert, I actually don't know.
KR
Chris
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2011 8:10am