This event can be about a server certificate or a client certificate and different error codes can be reported. One should pay attention to these details as they require a different troubleshooting approach.
A Microsoft engineer provided the following suggestions:
If the certificate is not considered valid by the schannel provider, the
schannel provider will reject the cert if one of the following validation
1. The root to which the LDAPS / DC Cert is not trusted
2. The DC is not able to validate that the CA is trusted (cannot build a
3. The certificate is expired
4. The certificate is revoked
Please determine if the certificate is failing validation checking by using
certutil from Windows Server 2003 and correct the issues that certutil
reports (expired CRL, server isn't reachable on the network, CRL isn't
published to the location as expected, etc.)
For more information, see ME825061
(Certificate Services Does Not Start After You Upgrade to Windows 2000). Also, you may use the "dsstore -dcmon" command and look at a verbose display. Then, correct the trust chain on the certificate that you are using for schannel. For more information about the Directory Services Store Tool, please refer to ME313197
(HOW TO: Use the Directory Services Store Tool to Add a Non-Windows 2000)
* * *
Error code: 0x80090016 - This error seems to indicate a permissions problem. Most of the newsgroup posts below were from Microsoft support engineers.
From a newsgroup post: "I would suggest you export the cert out (with private key) then reimport again, or import to other machine, and export from there and import back to this machine. See ME232137
on import and export certificates and ME232136
on how to backup a server certificate in IIS 5.0.
From another post: "Try going to the properties of the Documents and settings\All Users folder, then go to the security tab, select advanced and then select the reset permissions on all child objects and then select OK. Then try the websites out again.
From a newsgroup post: "There are 4 main IIS troubleshooting steps to take when you cannot make a successful SSL connection:
1) Is the SSL ISAPI filter installed?††It should be at the master level, and is called "sspifilt".
2) In the IIS MMC, on the Web Site tab of the site's Properties page, is the SSL Port enabled or is it grayed out? What port are you using for SSL?
3) Host Headers and SSL should not be attempted to work in conjunction. If possible, completely disable your Host Headers when troubleshooting SSL.
4) Try generating a new certificate. It could be the case that your Certificate is bad."
From a newsgroup post: "According to my experience, you can try to give Administrators group full control on folder and its contents: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys."
According to Thawte Solution document SO377, this occurs after you have reinstalled your server or you had a server crash. The recommended resolution is to††import your private key backup file (.pfx file) using the instructions in Thatwte Solution SO5288. Please check the private key in the Microsoft/Crypto/MachineKeys/RSA directory. If it††has no permissions on it at all changed it to have all permissions, and then it should work.
See also the link to Error code 0x80090016
- Error code 0x8010002e
- Cannot find a smart card reader
- Error code 0x80090304
- The Local Security Authority cannot be contacted
* * *
Some other issues may share similar causes - bad certificates. See the link to the "Unable to Start Microsoft Firewall Service in ISA Server 2006" article. A user consulted this before determining that in his case, the error was recorded because the SQL Server hasnít been configured to use an SSL certificate.