Unable to Start Microsoft Firewall Service in ISA Server 2006
1. Introduction
This scenario is based on a real experience that I was able to reproduce in a lab. The issue was that the Microsoft Firewall Service was not starting and was showing the following error message when tries to manually start:
Figure 1 – Error trying to manually start Microsoft Firewall service.
The error -2146885628 means HRESULT 0x80092004L, which is CRYPT_E_NOT_FOUND. Besides this pop up error message, the following entries were logged in the Application Log:
Event Type: Error
Event Source: Microsoft ISA Server Web Proxy
Event Category: None
Event ID: 14177
Date: 3/2/2009
Time: 7:44:31 PM
User: N/A
Computer: ISASRVSTD
Description:
Some certificates cannot be initialized (error code -2146885628). The Web Proxy filter could not initialize. Check that all certificates used by the Web Proxy filter are valid.
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14060
Date: 3/2/2009
Time: 7:44:31 PM
User: N/A
Computer: ISASRVSTD
Description:
ISA Server could not load the application filter Web Proxy Filter ({4CB7513E-220E-4C20-815A-B67BAA295FF4}). FilterInit failed with the error code 0x80092004. To attempt to activate this application filter again, stop and restart the Firewall service.
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14001
Date: 3/2/2009
Time: 7:44:31 PM
User: N/A
Computer: ISASRVSTD
Description:
Firewall Service failed to initialize. Previous event log entries might help determine the proper action.
From all those three events the main one is the first, this was actually the first that happened and all the others are just result of this.
2. Reviewing the Web Listener
Certificates are bound to the Web Listener, therefore you need to first review those Listeners to see if there is anything suspicious in there. Look for things such as:
· Web Listeners that are using port 443 but have no certificate bound to it.
· Web Listeners that are using certificates that are already expired
o Use Considerations when Renewing Web Listener Certificates on ISA Server 2006 article to identify which certificates are expired
· Web Listeners that you cannot even open the properties
o In this case you can potentially receive a catastrophic error which might indicates that this Web Listeners is corrupted. For this type of scenario further research is necessary which is out of the scope of this post.
After reviewing the Web Listener it was possible to see that one of those was using port 443 (Figure 2) but without any certificate bound to it (Figure 3):
Figure 2 – Web Listener using Port 443.
Note: as you can see in Figure 2, in the bottom of the window it shows that you must have the certificate defined in the Certificates tab when you are using SSL.
Figure 3 – Web Listener with empty certificate selection.
This clearly is a problem and justifies that Firewall Service is not coming up.
3. Reviewing your Certificate Container in the Local Computer
Next step is to verify if the certificates are correctly installed in the ISA Server local computer. Review the steps from the article Considerations when Renewing Web Listener Certificates on ISA Server 2006 to do that.
4. Resolution
To resolve this problem you have two approaches:
· If you don’t have the certificate right away you can just change the listener to use HTTP (rather than HTTPS), apply the changes and start Microsoft Firewall service.
· If you do have the certificate, use the steps from article Considerations when Renewing Web Listener Certificates on ISA Server 2006 to import a new certificate, bind this new certificate to the listener and start Microsoft Firewall service.
5. Main References
Although I mentioned throughout this post an article about Certificates, it is important to emphasize that you should read this whole article to plan ahead and avoid situations like that:
Considerations when Renewing Web Listener Certificates on ISA Server 2006
This KB can also help you to understand what the possible causes are for Microsoft Firewall service won’t start:
Author
Yuri Diogenes
Security Support Engineer
Microsoft CSS Forefront Edge Team
Technical Reviewer
Thomas Detzner
Escalation Engineer
Microsoft CSS Forefront Edge Team
Comments
Anonymous
January 01, 2003
Way to go...thanks for your feedback Paulo.Anonymous
January 01, 2003
Great tip! This happened to me before and I followed the KB to solve my problem. Regards, Paulo Oliveira.Anonymous
December 29, 2010
Thanks m8 great solution. The only thing that was different in our case: someone accidently deleted some certificates that were still in use on some listeners. We readded the certificates! thanksAnonymous
May 27, 2014
The comment has been removed