Keyset does not exist ( exception from HRESULT : 0x8009000D) or or 0x80090016 or 0x80090005 while changing Application Pool Identity in IIS

Article
02/29/2016

I have seen lots of people running into this specific issue in IIS 7+ and versions

When we try to change the application pool identity of an application pool to a domain account we get the below error while committing the changes.

There was an error while performing this operation.

Details:

Keyset does not exist ( exception from HRESULT : 0x8009000D)

The error code might change accordingly but you will get the text as keyset does not exist while trying to update the application pool identity with a custom account or while trying to specify a connect as user in the basic settings of a site.

You might also get the below error codes

0x80090016

0x80090005

Why am I seeing this issue?

This issue happens when your IIS specific machine keys are corrupt or missing.

Your machine keys might go corrupt if there was an improper shutdown of the machine or the machine was cloned from an existing image or if there was a system crash.

Its always a good idea to have a backup of the machine keys.

Before I explain in detail what goes wrong internally first lets discuss about the different machine keys required in IIS for encryption. The location of the key depends on the operating system is basically C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys from windows 2008 R2 and onwards

6de9cb26d2b98c01ec4e9e8b34824aa2_GUID iisConfigurationKey

d6d986f09a1ee04e24c949879fdb506c_GUID NetFrameworkConfigurationKey

76944fb33636aeddb9590521c2e8815a_GUID iisWasKey

The above 3 keys are used by IIS 7 and higher versions for encryption of the configuration.

The pertaining configuration info having information about these keys in IIS config looks something like below and will be present in C:\Windows\System32\inetsrv\config\applicationHost.config

</providers>

</configProtectedData>

IIS 6.0 uses a particular key c2319c42033a5ca7f44e731bfd3fa2b5_GUID to do the encryption. If you are seeing IIS admin service start up issue on an IIS 7 machine or IIS 6 machine, first thing we would check is if the metabase.xml is corrupted or if c2319c42033a5ca7f44e731bfd3fa2b5_GUID is corrupted.

In IIS any sensitive data like passwords won’t be stored in plain text and will have to be encrypted before it is stored in the config and get decrypted accordingly when needed.

So in case if the above machine keys are corrupted the configuration in IIS and the keys go out of sync and any encryption or decryption task will start failing. That is the reason you might see the above error while changing the application pool identity to a domain or custom account. If you change the application pool identity to an account like local system or network service or service accounts which doesn’t need password and hence no encryption the task won’t fail.

To confirm that this is the issue with machine key corruption you can try changing connect-as account for any website or virtual directory in IIS to a custom account and you will see the same error.

How to fix the issue?

Most of the times we suggest to rebuild or reinstall IIS. But what if reinstalling IIS is not an option?

Let’s see if there is something else we can do before we end up reinstalling IIS.

Before you proceed with the below steps it’s better to take backup of the IIS configuration so that you need not configure everything from the scratch in case you have to reinstall IIS.

To take backup of the IIS configuration install msdeploy from https://www.iis.net/downloads/microsoft/web-deploy

Once you install web deploy and reopen the inetmgr console you will see the option to export a server package and the root node as below.

Click on Export server package.

You would want to encrypt the configuration with your own password. To do that Click on Advanced Settings.

Enter the encryption password. You would want to remember this password while importing the package.

Click on Ok and Next.

Save the package or zip file which you can use to import later if needed

To import the package you will have to follow similar steps by clicking on Import package at the root node of IIS and then entering the encryption password.

How to work around the machine key corruption?

So enough of why and Now coming back to the main issue as to how we can fix the machine key corruption and the below errors.

There was an error while performing this operation.

Details:

Keyset does not exist ( exception from HRESULT : 0x8009000D)

We can regenerate these machine keys without reinstalling IIS completely. To do that follow the below steps.

1) Rename the below files or move it to a different location from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\

6de9cb26d2b98c01ec4e9e8b34824aa2_GUID iisConfigurationKey

d6d986f09a1ee04e24c949879fdb506c_GUID NetFrameworkConfigurationKey

76944fb33636aeddb9590521c2e8815a_GUID iisWasKey

2) Backup applicationhost.config, then delete everything inside the tags below in applicationhost.config. Delete the contents within <configProtectedData> or <providers>. <configProtectedData> <providers> ... </providers> </configProtectedData>

3) Open a command prompt in admin mode and run the below command

"%windir%\system32\inetsrv\iissetup.exe /install SharedLibraries"

The above steps should regenerate the machine keys and also the configprotecteddata section in applicationhost.config

If this doesn’t help I guess I think most preferable option would be to reinstall IIS to fix the corruption.

Hope this helps J

Technorati Tags: IIS,Keyset does not exist,0x8009000D,application pool,domain account

Keyset does not exist ( exception from HRESULT : 0x8009000D) or or 0x80090016 or 0x80090005 while changing Application Pool Identity in IIS

Additional resources