Watch out for that Service! CNG Key Isolation

Probably just about anyone who may be reading this blog has probably also reviewed Microsoft’s Prerequisites for Windows Client Deployment in Configuration Manager, and many of you may have learned the hard way for dependencies like BITs, Task Scheduler, and maybe even Remote Differential Compression (RDC). I have a new one for you that we learned about it over the weekend-the CNG Key Isolation Service (KeyISO).

The CNG Key Isolation service is hosted in the Local Security Authority (LSA) process as part of system cryptography support. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria.

The symptom: ConfigMgr client installed successfully (both client push, and manual client installation), but the client did not successfully register with its assigned site. Upon inspection, we noticed the following errors:

CertificateMaintenance.log

Creating Signing Certificate… CertificateMaintenance 3/29/2014 12:56:55 AM 5944 (0x1738)

Failed to create certificate 80090020 CertificateMaintenance 3/29/2014 12:56:55 AM 5944 (0x1738)

CCMDoCertificateMaintenance() failed (0x80090020). CertificateMaintenance 3/29/2014 12:56:55 AM 5944 (0x1738)

Raising pending event:

instance of CCM_ServiceHost_CertificateOperationsFailure

{

DateTime = “20140329065655.902000+000”;

HRESULT = “0x80090020”;

ProcessID = 6036;

ThreadID = 5944;

};

CertificateMaintenance 3/29/2014 12:56:55 AM 5944 (0x1738)

CCMDoCertificateMaintenance() raised CCM_ServiceHost_CertificateOperationsFailure status event. CertificateMaintenance 3/29/2014 12:56:55 AM 5944 (0x1738)

ClientIDManagerStartup.log

Client is set to use HTTPS when available. The current state is 224. ClientIDManagerStartup 3/29/2014 3:34:45 AM 5836 (0x16CC)

CCMCreateAuthHeadersEx failed (0x80004005). ClientIDManagerStartup 3/29/2014 3:34:46 AM 5836 (0x16CC)

PopulateRegistrationHint failed (0x80004005), expected upon first start of non-upgrade client. ClientIDManagerStartup 3/29/2014 3:34:46 AM 5836 (0x16CC)

[RegTask] – Executing registration task synchronously. ClientIDManagerStartup 3/29/2014 3:34:50 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

Read SMBIOS (encoded): 4800510050003100580051003100 ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

Evaluated SMBIOS (encoded): 4800510050003100580051003100 ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

No SMBIOS Changed ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

SMBIOS unchanged ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

SID unchanged ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

HWID unchanged ClientIDManagerStartup 3/29/2014 3:34:53 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:34:55 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:34:57 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:35:01 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:35:05 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:35:11 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:35:17 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:35:25 AM 788 (0x0314)

We also noticed that each time we cycled the “SMS Agent Host” (ccmexec) service, we received an error in the system event log The CNG Key Isolation service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.

You guessed it, that was it. On a group of servers, someone had configured this service to logon as a domain account, instead of as the local system account. When a client is configured to use HTTP (instead of HTTPs, fka ‘native’), it generates a self-signed certificate during the client install (or at least shortly thereafter), and that process depends on the CNG Key Isolation service, which needs to be configured to use the local system account (and the service not be ‘disabled’ – ‘manual’ service start is fine).

The solution:  Don’t modify that service configuration! Leave the default (manual, run as local system). If you MUST, it appears that you can change it back to your custom config after the ConfigMgr client is healthy. But in the long run, that will just cause you more problems when you need to re-install or repair the client.

Greg