Event 36780 schannel in combination with sec event 5061
Hi, I receive event 36780 schannel with error code 0x8009030d and state 1001 in the system log At the same time event 5061 occurs: SubjectUserSid S-1-5-18 SubjectUserName HP$ SubjectDomainName FED SubjectLogonId 0x3e7 ProviderName Microsoft Software Key Storage Provider AlgorithmName %%2432 KeyName 3b23acc6f713794234b970f66ff4a5a5_2d22bfa6-e016-401c-82d5-36610317430b KeyType %%2500 Operation %%2480 ReturnCode 0x80090016 The first question is how to find or identify the certificate. I've tried certutil and findprivatekey but I don't know for sure which part of the KeyName in the eventlog is the thumbprint. How can I solve the error? When looking at the computer certificate snap In, I cannot find expired certificates or problem in the auth chain. Thanks...
June 13th, 2011 11:10am

Luxus Chris, what is this impacting? And please post the actual event IDs adn Sources. Also, have a look at this: http://support.microsoft.com/kb/841798 *alex
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2011 11:15am

Hi , Please provide your domain setup , which includes the DC , Certificate server version, clients used ,also paste the correspoinding event id's for further troubleshooting.
June 13th, 2011 10:02pm

Hi, the actual event IDs and sources are: Protokollname: System Quelle: Schannel Datum: 13.06.2011 16:54:07 Ereignis-ID: 36870 Aufgabenkategorie:Keine Ebene: Fehler Schlüsselwörter: Benutzer: SYSTEM Computer: Hp2607.FOEDERATION.de Beschreibung: Schwerwiegender Fehler beim Zugriff auf den privaten Schlüssel der Anmeldeinformationen Server für SSL. Der vom kryptografischen Modul zurückgegebene Fehlercode lautet 0x8009030d. Der interne Fehlerstatus ist 10001. Ereignis-XML: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" /> <EventID>36870</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2011-06-13T14:54:07.663750700Z" /> <EventRecordID>37718</EventRecordID> <Correlation /> <Execution ProcessID="576" ThreadID="1632" /> <Channel>System</Channel> <Computer>Hp2607.FOEDERATION.de</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Type">Server</Data> <Data Name="ErrorCode">0x8009030d</Data> <Data Name="ErrorStatus">10001</Data> </EventData> </Event> Protokollname: Security Quelle: Microsoft-Windows-Security-Auditing Datum: 13.06.2011 16:54:07 Ereignis-ID: 5061 Aufgabenkategorie:Systemintegrität Ebene: Informationen Schlüsselwörter:Überwachung gescheitert Benutzer: Nicht zutreffend Computer: Hp2607.FOEDERATION.de Beschreibung: Kryptografievorgang. Antragsteller: Sicherheits-ID: SYSTEM Kontoname: HP2607$ Kontodomäne: FOEDERATION Anmelde-ID: 0x3e7 Kryptografische Parameter: Anbietername: Microsoft Software Key Storage Provider Algorithmusname: Nicht verfügbar. Schlüsselname: 3b23acc6f713794234b970f66ff4a5a5_2d22bfa6-e016-401c-82d5-36610317430b Schlüsseltyp: Benutzerschlüssel. Kryptografischer Vorgang: Vorgang: Schlüssel öffnen. Rückgabecode: 0x80090016 Ereignis-XML: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>5061</EventID> <Version>0</Version> <Level>0</Level> <Task>12290</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2011-06-13T14:54:07.663750700Z" /> <EventRecordID>694769</EventRecordID> <Correlation /> <Execution ProcessID="576" ThreadID="696" /> <Channel>Security</Channel> <Computer>Hp2607.FOEDERATION.de</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">HP2607$</Data> <Data Name="SubjectDomainName">FOEDERATION</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="ProviderName">Microsoft Software Key Storage Provider</Data> <Data Name="AlgorithmName">%%2432</Data> <Data Name="KeyName">3b23acc6f713794234b970f66ff4a5a5_2d22bfa6-e016-401c-82d5-36610317430b</Data> <Data Name="KeyType">%%2500</Data> <Data Name="Operation">%%2480</Data> <Data Name="ReturnCode">0x80090016</Data> </EventData> </Event> The domain (and forest) functional level is set to 2003R2. The domain consists of 2 DCs, one 2003R2 (which provides the enterprise PKI) and a 2008R2 DC (with the events posted). The events only occurs on the 2008R2 Server. TTBOMK, there are no further events that are related to the current problem. As a result, WSUS (which uses SSL) does not work anymore. By deleting the HTTPS Binding in the IIS and reassigning the certificate, and finally restarting all related services, I was able to fix that problem but after I restarted the Server, all problems reoccur. I've used FindPrivateKey and certutil to locate the corresponding certificate but to no effect. I don't know if the keyName 3b23acc6f713794234b970f66ff4a5a5_2d22bfa6-e016-401c-82d5-36610317430b relates to a real certificate and if so how to find the thumbprint of the cert. in that string. Thanks a lot. KR Chris
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2011 4:54am

Hi, the actual event IDs and sources are: Protokollname: System Quelle: Schannel Datum: 13.06.2011 16:54:07 Ereignis-ID: 36870 Aufgabenkategorie:Keine Ebene: Fehler Schlüsselwörter: Benutzer: SYSTEM Computer: Hp2607.FOEDERATION.de Beschreibung: Schwerwiegender Fehler beim Zugriff auf den privaten Schlüssel der Anmeldeinformationen Server für SSL. Der vom kryptografischen Modul zurückgegebene Fehlercode lautet 0x8009030d. Der interne Fehlerstatus ist 10001. Ereignis-XML: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" /> <EventID>36870</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2011-06-13T14:54:07.663750700Z" /> <EventRecordID>37718</EventRecordID> <Correlation /> <Execution ProcessID="576" ThreadID="1632" /> <Channel>System</Channel> <Computer>Hp2607.FOEDERATION.de</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Type">Server</Data> <Data Name="ErrorCode">0x8009030d</Data> <Data Name="ErrorStatus">10001</Data> </EventData> </Event> Protokollname: Security Quelle: Microsoft-Windows-Security-Auditing Datum: 13.06.2011 16:54:07 Ereignis-ID: 5061 Aufgabenkategorie:Systemintegrität Ebene: Informationen Schlüsselwörter:Überwachung gescheitert Benutzer: Nicht zutreffend Computer: Hp2607.FOEDERATION.de Beschreibung: Kryptografievorgang. Antragsteller: Sicherheits-ID: SYSTEM Kontoname: HP2607$ Kontodomäne: FOEDERATION Anmelde-ID: 0x3e7 Kryptografische Parameter: Anbietername: Microsoft Software Key Storage Provider Algorithmusname: Nicht verfügbar. Schlüsselname: 3b23acc6f713794234b970f66ff4a5a5_2d22bfa6-e016-401c-82d5-36610317430b Schlüsseltyp: Benutzerschlüssel. Kryptografischer Vorgang: Vorgang: Schlüssel öffnen. Rückgabecode: 0x80090016 Ereignis-XML: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>5061</EventID> <Version>0</Version> <Level>0</Level> <Task>12290</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2011-06-13T14:54:07.663750700Z" /> <EventRecordID>694769</EventRecordID> <Correlation /> <Execution ProcessID="576" ThreadID="696" /> <Channel>Security</Channel> <Computer>Hp2607.FOEDERATION.de</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">HP2607$</Data> <Data Name="SubjectDomainName">FOEDERATION</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="ProviderName">Microsoft Software Key Storage Provider</Data> <Data Name="AlgorithmName">%%2432</Data> <Data Name="KeyName">3b23acc6f713794234b970f66ff4a5a5_2d22bfa6-e016-401c-82d5-36610317430b</Data> <Data Name="KeyType">%%2500</Data> <Data Name="Operation">%%2480</Data> <Data Name="ReturnCode">0x80090016</Data> </EventData> </Event> The domain (and forest) functional level is set to 2003R2. The domain consists of 2 DCs, one 2003R2 (which provides the enterprise PKI) and a 2008R2 DC (with the events posted). The events only occurs on the 2008R2 Server. TTBOMK, there are no further events that are related to the current problem. As a result, WSUS (which uses SSL) does not work anymore. By deleting the HTTPS Binding in the IIS and reassigning the certificate, and finally restarting all related services, I was able to fix that problem but after I restarted the Server, all problems reoccur. I've been able to locate the cert String (keyName in Eventlog) in C:\Users\MyUser\AppData\Roaming\Microsoft\Crypto\SID... But, unfortunetly, i couldn't locate the corresponding cert in the user cert mmc snap-in. Any idea how i can find that certificate? Thanks a lot. KR Chris
June 14th, 2011 11:45am

Hi, I just wanted to annunciate good news, I have resolved the error. For documentation reasons I will record the neccessary steps: 1. Make sure the ACL of the Cryto folder complies with the MS recommendation, inherit all settings to subfolders and files, replace ACLs of the sub containers 2. The event log message XML node KeyName of the certificate can be used to identify the file in the users crypto folder 3. Via certutil -store my you can identify the certificate that matches to the KeyName, then you can use the certificate MMC (ir the via shell) to check the corresponding cert. 4. In my case I could not find any error such as expiration or invalid chain etc... However, I decided to renew with a new key and rebooted the server and the error disappeared. Why that specific error suddenly appeared or whether there was a problem with that cert, I actually don't know. KR Chris
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2011 8:10am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics