This post has been republished via RSS; it originally appeared at: IIS Support Blog articles.
Continuous exceptions ‘Keyset does not exist’ (Exception from HRESULT: 0x80090016) or (Exception from HRESULT: 0x80090005) followed by (Value does not fall within the expected range 0x80070005)
Sometimes we get the below error while committing the application pool identity changes to a domain account in the application pool.
Error Details:
---------------------------
Application Pools
---------------------------
There was an error while performing this operation.Details:
Keyset does not exist (Exception from HRESULT: 0x80090016)
---------------------------
OK
---------------------------
Error Code description:
Error Code Symbolic Name Error Description Header Hex Dec 0x80090016 -2146893802 NTE_BAD_KEYSET Keyset does not exist winerror.h |
Basically, the machine key providers were corrupted because of which IIS was not able to decrypt the password set for Application pool. Due to this AppPool was throwing the above-mentioned error.
As a workaround we can follow the below article to fix the error by regenerating the machine keys:
But what should I do if I get the below error pop up which fails with “0x80070005” while regenerating the machine key providers using the command "iissetup.exe /install SharedLibraries"?
Error Details:
---------------------------
Application Pools
---------------------------
There was an error while performing this operation.
Details:
Value does not fall within the expected range.
---------------------------
OK
---------------------------
Cause:
Looks like the keys themselves were in corrupted state.
Recommendation:
To fix this issue follow the below steps:
- Export the keys from a working server of same version using the below commands:
aspnet_regiis.exe -pri -px "iisConfigurationKey" "c:\iisconfigkey.xml"
aspnet_regiis.exe -pri -px "NetFrameworkConfigurationKey" "c:\netframework.xml"
aspnet_regiis.exe -pri -px "iisWasKey" "c:\iiswas.xml"
- Run the commands in below folders:
C:\Windows\Microsoft.NET\Framework64\v2.0.50727
C:\Windows\Microsoft.NET\Framework64\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v2.0.50727
C:\Windows\Microsoft.NET\Framework\v4.0.30319
- Once the keys were exported, move them to non-working server and import them using the below commands (we should run these in all the 4 folders mentioned above):
aspnet_regiis.exe -pi "iisConfigurationKey" "c:\iisconfigkey.xml" -exp
aspnet_regiis.exe -pi "NetFrameworkConfigurationKey" "c:\netframework.xml" -exp
aspnet_regiis.exe -pi "iisWasKey" "c:\iiswas.xml" -exp
- Now, regenerate the machine key providers once again using the command “exe /install SharedLibraries”.
Resolution Steps:
- Take the back up of machine key folder
- Run the above mentioned scripts
- Take the backup of applicationHost.config file and remove the <providers> section under <configProtectedData>
- Run the command "%windir%\system32\inetsrv\iissetup.exe /install SharedLibraries"
- Now, try to change the credentials for application pool identity