SCP login results in "Schannel" events in System event log

Version 4

    Verified Product Versions

    AppSense Management Center 10.0AppSense Management Center 10.1AppSense Environment Manager 10.0AppSense Environment Manager 10.1

    Introduction

    When logging into the Server Configuration Portal you may notice an error in the System event log. First of all, check if the error corresponds with the exact same time you logged into the SCP as this error can be raised from other applications. If the error correlates with the SCP login please see the steps below to rectify the issue.

     

     

    A fatal error occurred when attempting to access the SSL Client credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10003.

     

    It is worth noting that this error does not stop you from logging into the SCP.

     

    Detail

    Typically this error relates to a permissions problem on the certificate pair keys folder, sub-folders or files: C:\ProgramData\Microsoft\Crypto\RSA

     

    Before we make any changes we need to work out where the problem is and the best way to do this is to use Process Monitor from Windows Sysinternals. Within Process Monitor you can create a filter (see below) for the above RSA folder and then generate a capture whilst logging into the SCP.

     

    You should then be able to identify the folders or files where the file operation results in an access denied message. Example below:

    Note: The filenames will be different in every environment as they are generated when a certificate is create/imported.

     

    In the above example, the permissions on the following two files were incorrect:

    08e576b1280a2ce0bc24af347709157f_c135db7f-1374-4b29-b55d-9bc8bd19361c

    6de9cb26d2b98c01ec4e9e8b34824aa2_c135db7f-1374-4b29-b55d-9bc8bd19361c

     

    The correct permissions for the certificate files are as follows:

     

    SYSTEM = Full Control

    NETWORK SERVICE = Read

     

    Once your certificate files and folders permissions are correct, you should find that the error in the event log no longer occurs.