SharePoint / PSConfig is failing with error “Keyset does not exist

Symptom

Unable to join any servers to your Production SharePoint Farm. PSConfig is failing with error "Keyset does not exist"

 

From PSCDiagnostics Log:

 11/07/2017 10:48:24 14 ERR Exception: System.Security.Cryptography.CryptographicException: Keyset does not exist
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() 
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at Microsoft.SharePoint.Utilities.CertificateManager.ReleaseCertificate(X509Certificate2 certificate)
at Microsoft.SharePoint.Administration.SPCertificateAuthority.Issue(X500DistinguishedName subjectName, DateTime notBefore, DateTime notAfter, X509ExtensionCollection extensions)
at Microsoft.SharePoint.Administration.SPCertificateAuthority.Issue(String subjectName, X509ExtensionCollection extensions)
at Microsoft.SharePoint.Administration.SPIisWebServiceSettings.ProvisionLocalSslCertificate()
at Microsoft.SharePoint.Administration.SPIisWebServiceSettings.ProvisionLocal(SPIisWebServiceSettingsProvisioningOptions options)
at Microsoft.SharePoint.Administration.SPIisWebServiceInstance.Provision() 
at Microsoft.SharePoint.Administration.SPFarm.Join(Boolean skipRegisterAsDistributedCacheHost)
at Microsoft.SharePoint.PostSetupConfiguration.ConfigurationDatabaseTask.CreateOrConnectConfigDb()
at Microsoft.SharePoint.PostSetupConfiguration.ConfigurationDatabaseTask.Run() 
at Microsoft.SharePoint.PostSetupConfiguration.TaskThread.ExecuteTask()

Cause

PSCONFIG was failing while attempting to join a serer to the Farm with error "Keyset does not exist" because the PSCONFIG process was attempting to create the required Machine Keys with 2 different user accounts. For example, it started with domain\serviceaccount, then attempted to write the machine key with SYSTEM through LSASS.EXE. This caused the "Keyset does not exist" error because access was denied.

Resolution

To resolve this issue, we removed the SYSTEM account from the "MachineKeys" Folder (C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys).

More Information

After thoroughly inspecting the ACLs on the MachineKeys folder we found that the "SYSTEM" account was added in the security of this folder (This is not default).

The default persimmons on the MachineKeys Folder are as follows.

 C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys 
Everyone 
Administrators

However, the servers that were failing to install SharePoint contained the SYSTEM account.

 C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys 
Everyone 
Administrators 
SYSTEM