Certificate Error 0x80090016
Contents |
TMG TeamMay 27, 20144 0 0 0 You may face an issue with a certificate assigned to a listener that suddenly becomes invalid and therefore the incoming SSL connection are dropped. Restarting the service you will show tmg certificate incorrect key type the following error:
Event Source: Microsoft Firewall Event ID: 14060 Description: Description:Certutil
Cannot load an application filter Web Proxy Filter ({4CB7513E-220E-4C20-815A-B67BAA295FF4}). FilterInit failed with code 0x80092004. To attempt to activate this application filter again, stop and restart the Firewall service. The problem can be caused by the permission on private keys of the certificate store becoming corrupted. This may be affecting one or more certificates. In these cases deleting the bad certificate and re-importing can help to resolve the the problem most of the times. Find more information in this article: http://blogs.technet.com/b/isablog/archive/2009/03/10/unable-to-start-microsoft-firewall-service-in-isa-server-2006.aspx In some cases you may have lost the original PFX file or forgot the password and need the fix the issue using a different approach. In this article we will discuss how to better diagnose the issue and try to fix it, this may or may not work in your environment depending on the entity of the damage. You can identify the invalid certificates by opening the TMG console, even if the Firewall service is not running, and try to assign the right certificate to all of your listeners. By unselecting the checkbox “Show only valid certificates”, you will see a message similar to that in the screenshot below:
In the properties of the listener, when selecting a certificate, you may get the status “Private key handle error” or “Invalid key” You can try fixing the issue from the Certificates console: Execute MMC Add the Certificate snap-in for the Local computer In the Personal store right click on the certificate, All task, Manage Private keys If you can assign Full control to the local Administrators group and to SYSTEM Then go back to the TMG console and select the certificate, it should appear valid Save and apply the configuration and try to start the Firewall service However you may be unable to assign the permission from the certificates console, you may get an Access denied error. In this case you will have to identify the file with the certificate’s private key, the file> Operating Systems > Windows XP > Windows XP Network & Web > Web Certificate Services - Error 0x80090016 on certificate install for IPsec [WORKAROUND INSIDE!] Web Certificate Services - Error 0x80090016 on certificate install for IPsec [WORKAROUND INSIDE!] Posted: 11-13-2003, 11:19 AM Todd Day Guest Posts: n/a Show Printable Version Email this Page Post Comment [Workaround below] When installing an IPSec certificate to the Local Machine Store, I get the following error - Unable to install the certificate: Error: 0x80090016 Using the MMC snapins, https://blogs.technet.microsoft.com/isablog/2014/05/27/tmg-web-listener-certificate-private-key-handle-error-0x80090016/ it appears that the certificate made it, but the private key did not. Actually, the certificate claims to have an associated private key, but I know that is a lie because during IKE negotiations, this certificate is not seen as valid. The certificate will install properly if I don't check the box to store in in the Local Store. Then I try to http://www.realgeek.com/forums/web-certificate-services-error-0x80090016-on-certificate-install-for-ipsec-workaround-inside-297571.html use the MMC tool to move the certificate from my User Store to the Local Store. Well, the certificate makes it, but the private key does not. The certificate will claim that the private key is there, but it did not get properly moved. THE BUG IN THE LAST SENTENCE HAS BEEN AROUND SINCE AT LEAST MAY, BUT STILL HAS NOT BEEN FIXED! This 0x80090016 error occured on two of my WinXP Home machines. It also occured on a couple WinXP Pro machines in my Win2k3 domain, but not all of them. It worked okay on the one Win2k machine in my domain that I tried. All of these machines (with and without the bug) had been patched with the IPsec/NAT-T patch. The workaround for this error (only tested on one machine as I write this) is to request a cert WITH AN EXPORTABLE KEY, but do not request a Local Machine Store key. You will get a User Store key instead, with the full CA path as bonus. This key should install properly with no problems. Then use the MMC tool with the Certificate snap-in loaded twic
Server Web App Gallery Microsoft Azure Tools Visual Studio Expression Studio Windows Internet Explorer WebMatrix Web Platform Installer Get Help: Ask a Question in our Forums More Help Resources Blogs Forums http://www.iis.net/learn/troubleshoot/security-issues/troubleshooting-ssl-related-issues-server-certificate HomeLearnTroubleshootChapter 2. Security IssuesTroubleshooting SSL related issues (Server Certificate) Troubleshooting SSL related issues (Server Certificate) By Kaushal Kumar PandayApril 9, 2012Tools Used in this Troubleshooter: SSLDiag Network Monitor 3.4/Wireshark This material is provided for informational purposes only. Microsoft makes no warranties, express or implied. Overview This document will help you in troubleshooting SSL issues related to IIS only. Client Certificates certificate error troubleshooting will not be covered in this document. Server Certificates are meant for Server Authentication and we will be dealing only with Server Certificates in this document. If the Client certificates section is set to “Require” and then you run into issues, then please don’t refer this document. This is meant for troubleshooting SSL Server certificates issue only. It is certificate error 0x80090016 important to know that every certificate comprises of a public key (used for encryption) and a private key (used for decryption). The private key is known only to the server. The default port for https is 443. I am under the assumption the reader is well-versed in SSL Handshake and the Server Authentication process during the SSL handshake. Description of the Secure Sockets Layer (SSL) Handshake: http://support.microsoft.com/kb/257591 Description of the Server Authentication Process during the SSL Handshake: http://support.microsoft.com/kb/257587 Scenarios The following error message is seen while browsing the website over https: The first thing that has to be checked is whether the website is accessible over http. If yes, then we proceed with our troubleshooting. If not, then you need to have the website working on http first and that's a seperate issue (not covered in this troubleshooter). Now let’s assume the website is accessible over http and we get the above error when trying to browse over https. The problem is seen because the SSL handshake failed and hence the error message was seen. There could be ma