The RSA key container could not be opened. Windows Server 2008 R2

windows-server-2008 iis iis-7 iis-7.5 rsa

14,064

Solution 1

I have had something similar.

If the account you are using does not have permission to the key container then when you try to grant permission to it (aspnet_regiis -pa "KeyContainerName" "dmz\UserName") you get the Key Container not found error. However the key does exist; hence, the error when you try to re-create it.

This would mean that the key was created by a different account.

If you can log on as that account you can then do

aspnet_regiis -pa "KeyContainerName" "dmz\YourUserName" -full

to grant your own account control of the key. I would suggest setting up a KeyAdministrators NT group and granting access to that and getting yourself in the group.

Solution 2

"I did the same thing on 12 other servers and it worked fine"

Well:

Reimage the server or start again. Something is clearly different about this one, even at this early stage.

If you're doing exactly the same thing (incidentaly, why isn't it scripted?) on every server, and they've all behaved identically and were all configured identically but this one's somehow different, things will only get worse from here.

Solution 3

Check or try using the full path to aspnet_regiis.exe. As you may be aware, this can be either a 32-bit or 64-bit version. E.g.:

%SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pa "KeyContainerName" "domain\user"  
%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis -pa "KeyContainerName" "domain\user"  

%SYSTEMROOT%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis -pa "KeyContainerName" "domain\user"  
%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pa "KeyContainerName" "domain\user"  

%SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pi "KeyContainerName" "c:\keys.xml"  
%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis -pi "KeyContainerName" "c:\keys.xml"  

%SYSTEMROOT%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis -pi "KeyContainerName" "c:\keys.xml"  
%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pi "KeyContainerName" "c:\keys.xml"

Solution 4

We had this same issue on a cloned server, but could not get Paul's solution to work. Instead what we did was search our computer for the file machineKeys, and deleted the one from the ...\Crypto\RSA\ folder.

After doing this we were able to recreate the RSA Key Container. This then recreated the machineKeys file we deleted.

View more solutions

14,064

Author by

Blegger

I love coding, presenting, and being able to lead a team of rock star developers to produce awesome websites and mobile applications. Hobbies include comic books, wake boarding, disc golf, fly fishing and playing Pokemon with my son.

Updated on September 18, 2022

Comments

Blegger over 1 year

I am setting up a second asp.net site on our Windows 2008 R2 server. We use a RSA Key Container to encrypt our connection strings. I created a new Application Pool with all the same settings as our Default Application Pool that is supporting our current site, including using the same user account for the identity. When I try to access the new site I get the following error: The RSA key container could not be opened

If I change the new website to use our Default Application Pool it works. So I try and give the user account in the new Application Pool access to the RSA Key Container using the following command in an Administrator Command Prompt:

aspnet_regiis -pa "KeyContainerName" "dmz\UserName"

I get the following error: The RSA key container was not found.

I run the following command to install the key container:

aspnet_regiis -pi "KeyContainerName" "c:\keys.xml"

I get the following error: Object already exists

I try and run the following command to delete the key container:

aspnet_regiis -pz "KeyContainerName"

I get this error: The RSA key container was not found. Failed!

So I am completely baffled, one command tells me it already exists which makes sense because I know our one website is using it, but when I tried to delete it tells me it doesn't exist. It works for one app pool but not for a new app pool using the exact same identity? I did this exact same setup on 12 other servers and they all worked fine.
Blegger over 12 years

When I actually ran the regiis I was running from the 32 bit Framework for 2.0, which is what I did on all of the other servers and it worked for them. I tried it from the other framework paths and still no go.
nshb over 12 years

Is there any way to actually see the RSA certificates to figure out why it is there but inaccessable?
Ov's Pianist over 12 years

Start with ProcMon or ProcExp from live.sysinternals.com but again, if you're expecting to start from a common platform, and you're not, this could be the tip of the iceberg. Or it could be the one broken thing - point is, you've got an inconsistent build, and that needs to be fixed before other assumptions can be made safely.
Avi Pinto over 4 years

If you don't have access to the old account, go to C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys then open in notepad all the keys there => the one that you can't open is probably the problematic one + the name of the key is in clear text there => give Administrators group access to this key via file properties => run aspnet_regiis -pa "KeyContainerName" "Administrators" -full so future users won't have problems with this key