A fatal error occurred when attempting to access the SSL server credential private key.

I have faced the following error at a client when trying to setup a Forefront TMG 2010 array in a work group environment, however this error is not related to TMG itself so you might encounter it in any setup when your server is using Certificates for server authentication.

When building my Forefront TMG 2010 Array the server designated as configuration storage started logging in the the event log the below error every other minute, I did try to issue another certificate for it and even uninstalled and installed TMG again but nothing did the trick.

Error
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

The solution to my problem was granting the Network Service Read permission on the certificate and this is how I did it

  • Changed directory to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys by using cd C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
  • Then listed the certificated installed on the machine using certutil –store My and identified the certificate to be used
    01
  • At this point I would like you to notice that if you issue a dir /as in the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys you will see a list of hidden files who’s names correspond to the “Unique container name” in the screenshot above
    02
  • The final step is to give the Network Service read permission on this certificate using icacls /grant “NETWORK SERVICE”:(R)
    03

That’s it the error disappeared …

I have been working in IT consultancy and solution integration since 1998 and I consider myself lucky to be, one in a few, making a living out of my passion. I am also member of the famous Experts Exchange (profile here) online community where I try my best to share what I have learned along the road.

Tagged with: , , ,
Posted in Security
  • Adam Wojewodzki

    I have encountered similar issue during SCCM 2012 setup – similar solution has fixed SQL, but instead of NETWORK SERVICE – needed to grant permissions to whatever account is used to run SQL services

    • Nico Idskov

      Same here.
      No need to use XCACLS though. Just browse the folder and change the permissions.

  • Melvin82nl

    `Hi, got the same error as above. Only i don’t have a corresponding hidden file as the Unique Container Name. Am i doing something wrong, do you have any other suggestions?

    • Willie

      If you don’t have a hidden file corresponding to the container name, your private key is actually missing. Try deleting and reimporting your certificate and private key to the machine store.

  • Todd

    This is the ONLY posting I found that worked. Thank you!!

  • Guest

    Thank you! It solved my problem.

  • Dave Patterson

    Great post! I recieved this error while changing out the SQL Server service account on a server with SSL Certificate encryption.  Your post saved a lot of time.

  • dpmcmull

    It seems that my file is missing – is there a way to recreate my private key?  Every page I go to that switches from http to https, or needs security (such as my online backup solution), doesn’t work properly, and in the case of my online backup, doesn’t work at all.  Any help is greatly appreciated.

  • how

    thanks work for me with lync 2010 !!! now schannel work

  • Leo

    This post is a GEM!! Thanks!

  • Arnaud

    Good Job !

  • Dav

    THANKS A LOT

  • John

    Thanks in advanced. GREAT JOB

  • Ron Houet

    How do you know which certificate you have to choose? I can’t figure it out in this article??

Tweets Tweets