Problem Binding an SSL Cert

Question

User865209878 posted

I'm having a strange issue with IIS7 on Windows 2008 Server  trying to install a wildcard SSL cert. This cert installs on Windows 2003 without issue, and can be enabled on IIS 6 sites without a problem.

On the 2008 box, I'm able to launch the MMC and place the SSL cert into the local computer repository without issue. The chain of trust appears intact, and the General tab of the properties window says the cert is good for server authentication.

When I go into the IIS Administrator is when I start seeing the problems. I'll select the web site, then go to SsL Settings, then select BIndings from the right hand side. When adding a new binding, my cert shows in the drop down. I get the following error:

 

A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)

 Clicking ok on the window, and the binding of course doesn't show. Close the Bindings window and reopen it, and the binding to 443 shows properly. However, you cannot open a connection to that port on the server. It's not listening.

Interestingly, if I create a self-cert, the process works fine and I can create a connection to port 443 on the server. Due to this, I think it's a problem with the wildcard cert-but I'm not sure how to fix it, or even find what's wrong.

Answer 1

User865209878 posted

 Looks like when the error appears applying the wildcard cert, the following event appears in the log:

 

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/24/2008 3:05:10 PM
Event ID:      5061
Task Category: System Integrity
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      WIN-HJMAVK0VVPF
Description:
Cryptographic operation.

Subject:
    Security ID:        WIN-HJMAVK0VVPF\Administrator
    Account Name:        Administrator
    Account Domain:        WIN-HJMAVK0VVPF
    Logon ID:        0x1e1bf

Cryptographic Parameters:
    Provider Name:    Microsoft Software Key Storage Provider
    Algorithm Name:    Not Available.
    Key Name:    {EC7ED278-B5C4-4785-97E6-2DE0959252AD}
    Key Type:    Machine key.

Answer 2

User865209878 posted

 So, I figured this out.

 I was looking over the page  on installing TS Gateways, where I read that in order for this service to work, your cert must have the private key installed-which I didn't do.Hey, works on 2003, right?

 Wrong. 

 I went back to my cert, and  this time checked the box "Mark Exportable". Works fine now.

Answer 3

User1878523065 posted

I am having the same problem.  SSL cert from Network Solutions will not allow me to sync windows mobile PDA.  What exactly did you do?

Answer 4

User1897286597 posted

 I had a lot of problems and like he mentioned, I just reimported it with the exportable checkbox checked and no errors occured. I think the problem may be that it needs to "export" the cert to the site. That's the best hypothesis I can come up with.

Answer 5

User1162293573 posted

Yes, I had the same problem!!  All you do is go to the ssl certificate in the "certificates" section of the server, right click on ssl certificate & choose export. Export it, to say, desktop. Then import this version back in, and heypresto it works!!!  Have no idea why, but that's how it goes sometimes!!!

Answer 6

User-586444337 posted
I spent a whole day yesterday trying to track down the cause of this problem and your solution working in minutes. Thank you, thank you, thank you.

Answer 7

User-1998152203 posted

I'm experiencing the same error, i figured out that was logged on with the local Administrator account, when I got this message.

 I figured out that when I installed the certificate I was logged on with a Domain Administrator account, which means that this account was the owner of the private key part of the certificate.

When assigning a certificate the private key must be accessible, which is by default only the account that has requested / created or imported the certificate.

 So yes, the solutions below by importing do work because of this behaviour, but can be avoided by using the correct account that is the "owner" of the private key.

 Regards.

Answer 8

User581541288 posted
Actually we just had this problem. The solution is to import the certificate using mmc / certificates - Local Machine. Importing non-exportable certificate vial IIS counsel seams to have a bug. Deleting certificate and reinstalling cert via mmc certificate plug in fixed it. Still not exportable.

Answer 9

User-2679047 posted
JeffJ's answer above should be marked as the answer. Having the exportable to be true, according to microsoft, is a security risk.

Answer 10

User413770119 posted
Another Work around is. Import the certificate via IIS. On the web site bindings select the certificate to bind and ok. After it fails with the exception, click View and then OK. The import should now work without any issues.