I have faced the following error at a client when trying to setup a Forefront TMG 2010 array in a work group environment, however this error is not related to TMG itself so you might encounter it in any setup when your server is using Certificates for server authentication.
When building my Forefront TMG 2010 Array the server designated as configuration storage started logging in the the event log the below error every other minute, I did try to issue another certificate for it and even uninstalled and installed TMG again but nothing did the trick.
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.
The solution to my problem was granting the Network Service Read permission on the certificate and this is how I did it
- Changed directory to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys by using cd C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
- Then listed the certificated installed on the machine using certutil –store My and identified the certificate to be used
- At this point I would like you to notice that if you issue a dir /as in the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys you will see a list of hidden files who’s names correspond to the “Unique container name” in the screenshot above
- The final step is to give the Network Service read permission on this certificate using icacls
/grant “NETWORK SERVICE”:(R)
That’s it the error disappeared …