‘Keyset does not exist’ followed by ‘Value does not fall within the expected range’ exception

This post has been republished via RSS; it originally appeared at: IIS Support Blog articles.

Continuous exceptions ‘Keyset does not exist’ (Exception from HRESULT: 0x80090016) or (Exception from HRESULT: 0x80090005) followed by (Value does not fall within the expected range 0x80070005)

 

Sometimes we get the below error while committing the application pool identity changes to a domain account in the application pool. 

 

Error Details:
---------------------------
Application Pools
---------------------------
There was an error while performing this operation.Details:

Keyset does not exist (Exception from HRESULT: 0x80090016)
---------------------------
OK  
---------------------------

Error Code description:

Error Code Symbolic Name Error Description Header
Hex Dec
0x80090016 -2146893802 NTE_BAD_KEYSET Keyset does not exist winerror.h

 

Basically, the machine key providers were corrupted because of which IIS was not able to decrypt the password set for Application pool. Due to this AppPool was throwing the above-mentioned error.

 

As a workaround we can follow the below article to fix the error by regenerating the machine keys:

https://techcommunity.microsoft.com/t5/IIS-Support-Blog/Keyset-does-not-exist-exception-from-HRESULT-0x8009000D-or-or/ba-p/342955

 

But what should I do if I get the below error pop up which fails with “0x80070005” while regenerating the machine key providers using the command "iissetup.exe /install SharedLibraries"?

 

Error Details:
---------------------------
Application Pools
---------------------------
There was an error while performing this operation.

Details: 
Value does not fall within the expected range.
---------------------------
OK 
---------------------------

 

Cause:

Looks like the keys themselves were in corrupted state.

 

Recommendation:

To fix this issue follow the below steps:

  1. Export the keys from a working server of same version using the below commands:

     aspnet_regiis.exe -pri -px "iisConfigurationKey" "c:\iisconfigkey.xml"
     aspnet_regiis.exe -pri -px "NetFrameworkConfigurationKey" "c:\netframework.xml"
     aspnet_regiis.exe -pri -px "iisWasKey" "c:\iiswas.xml"

 

  1. Run the commands in below folders:

     C:\Windows\Microsoft.NET\Framework64\v2.0.50727
     C:\Windows\Microsoft.NET\Framework64\v4.0.30319
     C:\Windows\Microsoft.NET\Framework\v2.0.50727
     C:\Windows\Microsoft.NET\Framework\v4.0.30319

 

  1. Once the keys were exported, move them to non-working server and import them using the below commands (we should run these in all the 4 folders mentioned above):

     aspnet_regiis.exe -pi "iisConfigurationKey" "c:\iisconfigkey.xml" -exp
     aspnet_regiis.exe -pi "NetFrameworkConfigurationKey" "c:\netframework.xml" -exp
     aspnet_regiis.exe -pi "iisWasKey" "c:\iiswas.xml" -exp 

 

  1. Now, regenerate the machine key providers once again using the command “exe /install SharedLibraries”.

 

Resolution Steps:

- Take the back up of machine key folder
- Run the above mentioned scripts
- Take the backup of applicationHost.config file and remove the <providers> section under <configProtectedData>
- Run the command "%windir%\system32\inetsrv\iissetup.exe /install SharedLibraries"
- Now, try to change the credentials for application pool identity

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.