SharePoint / PSConfig is failing with error “Keyset does not exist”

This post has been republished via RSS; it originally appeared at: SharePoint Support Blog articles.


Unable to join any servers to your Production SharePoint Farm. PSConfig is failing with error "Keyset does not exist"


From PSCDiagnostics Log:

11/07/2017 10:48:24 14 ERR Exception: System.Security.Cryptography.CryptographicException: Keyset does not exist
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() 
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at Microsoft.SharePoint.Utilities.CertificateManager.ReleaseCertificate(X509Certificate2 certificate)
at Microsoft.SharePoint.Administration.SPCertificateAuthority.Issue(X500DistinguishedName subjectName, DateTime notBefore, DateTime notAfter, X509ExtensionCollection extensions)
at Microsoft.SharePoint.Administration.SPCertificateAuthority.Issue(String subjectName, X509ExtensionCollection extensions)
at Microsoft.SharePoint.Administration.SPIisWebServiceSettings.ProvisionLocalSslCertificate()
at Microsoft.SharePoint.Administration.SPIisWebServiceSettings.ProvisionLocal(SPIisWebServiceSettingsProvisioningOptions options)
at Microsoft.SharePoint.Administration.SPIisWebServiceInstance.Provision() 
at Microsoft.SharePoint.Administration.SPFarm.Join(Boolean skipRegisterAsDistributedCacheHost)
at Microsoft.SharePoint.PostSetupConfiguration.ConfigurationDatabaseTask.CreateOrConnectConfigDb()
at Microsoft.SharePoint.PostSetupConfiguration.ConfigurationDatabaseTask.Run() 
at Microsoft.SharePoint.PostSetupConfiguration.TaskThread.ExecuteTask()



PSCONFIG was failing while attempting to join a serer to the Farm with error "Keyset does not exist" because the PSCONFIG process was attempting to create the required Machine Keys with 2 different user accounts. For example, it started with domain\serviceaccount, then attempted to write the machine key with SYSTEM through LSASS.EXE. This caused the "Keyset does not exist" error because access was denied.



To resolve this issue, we removed the SYSTEM account from the "MachineKeys" Folder (C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys).


More Information

After thoroughly inspecting the ACLs on the MachineKeys folder we found that the "SYSTEM" account was added in the security of this folder (This is not default).


The default persimmons on the MachineKeys Folder are as follows.



However, the servers that were failing to install SharePoint contained the SYSTEM account.



REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.