HTTP Error 500.19 0x8007000d Failed to decrypt attribute ‘password’ because the keyset does not exist

The scenario.


You have a web application that uses Anonymous Authentication.

This uses another account than the default. In other words, you have done the following:


In IIS manager, gone to the application, double clicked Authentication in the Features View.

Right clicked “Anonymous Authentication” and selected Edit.

Selected “Specific User” and “Set...”

And changed it to another account so you now have the following in your applicationhost.config.


<location path="Default Web Site/<your application>">




                    <anonymousAuthentication userName="<your user>" password="[enc:AesProvider:DwgJrnYhC6u4S….AzjsWHfJrzjI4hUToQj14pxg:enc]" />






What you can see here is that we have a username and password. By default it will only have:



                    <anonymousAuthentication username="" />



Which means we use the application pool identity. See more here:


"Anonymous Authentication <anonymousAuthentication>"


So, we have a password that needs to be decrypted.

Now, this fails, with the following error on a remote client:


500 - Internal server error.

There is a problem with the resource you are looking for, and it cannot be displayed.


On the IIS machine you will see this:


Module          AnonymousAuthenticationModule

Notification    AuthenticateRequest

Error Code      0x8007000d

Config Error    Failed to decrypt attribute 'password' because the keyset does not exist

Config File     \\?\C:\inetpub\temp\apppools\<your connectionpool>.config

Logon Method    Not yet determined

Logon User      Not yet determined

Config Source  297:

  298:                 <anonymousAuthentication enabled="true" userName="<your anonymous user>" password="[enc:AesProvider:Izbcyl...fdTDt26wTo97rw+Q=:enc]" />



So, it clearly tells us that it failed to decrypt the password.


One reason for this is that you (or rather the identity for the application pool that the application uses) for some reason do not have the correct permissions to

read the machine key needed for the decryption. To figure out if this is the case, do the following:


Download the Process Monitor tool from here:


Install it on the IIS machine and start it.

Set the filter to include for files in the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys with a result of “Access Denied” (top two entries):



Then issue an IIS reset from a command prompt that is running as administrator:




and then access the site that gives the error. You should now see output similar to this:



which clearly shows that there is an Access Denied on one of the files in the Machine Keys directory.

And then naturally the next step is to check the permissions on that file.

Either the identity that we see in the “Process Monitor” output do not have Read permissions.

Or the IIS_IUSRS group do not have do not have Read permissions.


So the fix here is naturally to give Read permissions to the application pool user or the IIS_IUSRS group.


Hope this helps.


Other reasons are that the key in the password is corrupt. Or that the application.config is corrupt.


"Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 500.19 – Internal Server Error""



















Comments (1)

  1. Jeff Murr says:

    This blog post may help those having problems here.

Skip to main content