Share via


HTTP Error 500.19 0x8007000d Failed to decrypt attribute 'password' because the keyset does not exist

The scenario.

 

You have a web application that uses Anonymous Authentication.

This uses another account than the default. In other words, you have done the following:

 

In IIS manager, gone to the application, double clicked Authentication in the Features View.

Right clicked “Anonymous Authentication” and selected Edit.

Selected “Specific User” and “Set...”

And changed it to another account so you now have the following in your applicationhost.config.

 

<location path="Default Web Site/<your application>">

        <system.webServer>

            <security>

                <authentication>

                    <anonymousAuthentication userName="<your user>" password="[enc:AesProvider:DwgJrnYhC6u4S….AzjsWHfJrzjI4hUToQj14pxg:enc]" />

                </authentication>

            </security>

        </system.webServer>

    </location>

 

What you can see here is that we have a username and password. By default it will only have:

 

        <system.webServer>

                    <anonymousAuthentication username="" />

        </system.webServer>

 

Which means we use the application pool identity. See more here:

 

"Anonymous Authentication <anonymousAuthentication>"

https://www.iis.net/ConfigReference/system.webServer/security/authentication/anonymousAuthentication

 

So, we have a password that needs to be decrypted.

Now, this fails, with the following error on a remote client:

 

500 - Internal server error.

There is a problem with the resource you are looking for, and it cannot be displayed.

 

On the IIS machine you will see this:

 

Module AnonymousAuthenticationModule

Notification AuthenticateRequest

Error Code 0x8007000d

Config Error Failed to decrypt attribute 'password' because the keyset does not exist

Config File \\?\C:\inetpub\temp\apppools\<your connectionpool>.config

Logon Method Not yet determined

Logon User Not yet determined

Config Source 297:

  298: <anonymousAuthentication enabled="true" userName="<your anonymous user>" password="[enc:AesProvider:Izbcyl...fdTDt26wTo97rw+Q=:enc]" />

  299:

 

So, it clearly tells us that it failed to decrypt the password.

 

One reason for this is that you (or rather the identity for the application pool that the application uses) for some reason do not have the correct permissions to

read the machine key needed for the decryption. To figure out if this is the case, do the following:

 

Download the Process Monitor tool from here:

https://technet.microsoft.com/en-us/sysinternals/bb896645

 

Install it on the IIS machine and start it.

Set the filter to include for files in the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys with a result of “Access Denied” (top two entries):

 

 

Then issue an IIS reset from a command prompt that is running as administrator:

 

C:\Windows\system32>iisreset

 

and then access the site that gives the error. You should now see output similar to this:

 

 

which clearly shows that there is an Access Denied on one of the files in the Machine Keys directory.

And then naturally the next step is to check the permissions on that file.

Either the identity that we see in the “Process Monitor” output do not have Read permissions.

Or the IIS_IUSRS group do not have do not have Read permissions.

 

So the fix here is naturally to give Read permissions to the application pool user or the IIS_IUSRS group.

 

Hope this helps.

 

Other reasons are that the key in the password is corrupt. Or that the application.config is corrupt.

 

"Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 500.19 – Internal Server Error""

https://support.microsoft.com/kb/942055

Comments