Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 36870 Source: Schannel

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0xffffffff.
This event can be about a server certificate or a client certificate and different error codes can be reported. One should pay attention to these details as they require a different troubleshooting approach.

A Microsoft engineer provided the following suggestions:

If the certificate is not considered valid by the schannel provider, the
schannel provider will reject the cert if one of the following validation
problems exists:
1. The root to which the LDAPS / DC Cert is not trusted
2. The DC is not able to validate that the CA is trusted (cannot build a
trust chain)
3. The certificate is expired
4. The certificate is revoked

Please determine if the certificate is failing validation checking by using
certutil from Windows Server 2003 and correct the issues that certutil
reports (expired CRL, server isn't reachable on the network, CRL isn't
published to the location as expected, etc.)

For more information, see ME825061 (Certificate Services Does Not Start After You Upgrade to Windows 2000). Also, you may use the "dsstore -dcmon" command and look at a verbose display. Then, correct the trust chain on the certificate that you are using for schannel. For more information about the Directory Services Store Tool, please refer to ME313197 (HOW TO: Use the Directory Services Store Tool to Add a Non-Windows 2000)

* * *
Error code: 0x80090016 - This error seems to indicate a permissions problem. Most of the newsgroup posts below were from Microsoft support engineers.

From a newsgroup post: "I would suggest you export the cert out (with private key) then reimport again, or import to other machine, and export from there and import back to this machine. See ME232137 on import and export certificates and ME232136 on how to backup a server certificate in IIS 5.0.

From another post: "Try going to the properties of the Documents and settings\All Users folder, then go to the security tab, select advanced and then select the reset permissions on all child objects and then select OK. Then try the websites out again.

From a newsgroup post: "There are 4 main IIS troubleshooting steps to take when you cannot make a successful SSL connection:
1) Is the SSL ISAPI filter installed?††It should be at the master level, and is called "sspifilt".
2) In the IIS MMC, on the Web Site tab of the site's Properties page, is the SSL Port enabled or is it grayed out? What port are you using for SSL?
3) Host Headers and SSL should not be attempted to work in conjunction. If possible, completely disable your Host Headers when troubleshooting SSL.
4) Try generating a new certificate. It could be the case that your Certificate is bad."

From a newsgroup post: "According to my experience, you can try to give Administrators group full control on folder and its contents: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys."

According to Thawte Solution document SO377, this occurs after you have reinstalled your server or you had a server crash. The recommended resolution is to††import your private key backup file (.pfx file) using the instructions in Thatwte Solution SO5288. Please check the private key in the Microsoft/Crypto/MachineKeys/RSA directory. If it††has no permissions on it at all changed it to have all permissions, and then it should work.

See also the link to Error code 0x80090016.

- Error code 0x8010002e - Cannot find a smart card reader
- Error code 0x80090304 - The Local Security Authority cannot be contacted

* * *

Some other issues may share similar causes - bad certificates. See the link to the "Unable to Start Microsoft Firewall Service in ISA Server 2006" article. A user consulted this before determining that in his case, the error was recorded because the SQL Server hasnít been configured to use an SSL certificate.
"SEC_E_UNKNOWN_CREDENTIALS" (Error code 0x8009030D) : Got this by copying a personal certificate between two hives. The certificate was usable in services, but after reboot services failed to use it. Resolved after re-importing the certificate directly into the computer personal hive.
This error also occurs when you have imported a certificate and its signer CA certificate into same store. You must move CA certificate to Trusted Root Certificate Authorities and problem will be solved.
I ran into this problem and I found this article: EV100156 (OCS 2007 R2 and IIS SSL Cert Binding Issues).
- Error code 0x80090016 - I received this message when I created a request for a Verisign SSL key renewal in one directory but placed the response file (.cer) in another location and proceeded to install the pending renewal request using the IIS wizard. Even though the properties page of the certificate said it was installed, when a user went to the web site, a "Page cannot be displayed" message would appear and each time we restarted IIS this event would be generated. To correct this problem, I had to create another renewal request using the IIS wizard and then obtained a new response file from Verisign using their website.

- Error code 0x6 - From a newsgroup post: "This event, along with Event ID 36872 from source DCOM, started to occur a day after I installed a new HP LaserJet on a workstation. On the Windows 2000 workstation where I installed the HP Laserjet, I noticed that the event log was reporting Event ID 10009 from source DCOM every 20 seconds (DCOM was unable to communicate with the computer Server11 using any of the configured protocols). I looked around the HP Website and I found a fix. At a command window, from the \windows\system32 directory, run the following command: "hpbpro.exe -RegServer". If the problem persists, run "hpbpro.exe -Service". This fixed the error at the workstation and also events 36870 and 36872 from the server".
See ME331333 for more details.
I have seen the 0xffffffff instance of this event when I have stopped the Protected Storage Service and then tried to use the SSL API. Specifically "AcquireCredentialsHandle" ends with "SEC_E_UNKNOWN_CREDENTIALS" (Error code 0x8009030D). The problem is resolved by starting the Protected Storage Service.
If your getting this event and your using BackupExecAgentAccelerator, you need to go into HKEY_Local_Machine ->CurrentControlSet ->Services -> BackupExecAgentAccelerator ->Security and change the Security Key to match what you have on your backup server.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.