Article Number
000068084
Applies To
RSA Product Set: RSA SecurID Access
RSA Product/Service Type: Identity Router
O/S Version:
Issue
End users are unable to log in to their Application Portal or perform SSO login to applications with IWA. When the users try to log in using their usernames and passwords they succeed, thus it is not an issue with the portal itself.
They are seeing error
Keyset does not exist and hangs on that page
Image descriptionIn the Event viewer, you will notice the error below:
Image description
Cause
This problem occurs because the LOCAL SERVICE & the IIS_USRS accounts don't have Full Control access on the Machinekeys Folder and specifically on the iisWasKey below:
6de9cb26d2b98c01ec4e9e8b34824aa2_GUID
|
iisConfigurationKey
|
d6d986f09a1ee04e24c949879fdb506c_GUID
|
NetFrameworkConfigurationKey
|
76944fb33636aeddb9590521c2e8815a_GUID
|
iisWasKey
|
that is located in the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
Resolution
To resolve this problem, follow these steps:
- Locate the Folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.
- Right-click the Machine Keys folder, and then select Properties.
- Select the Security tab, and then select Edit. If you're asked whether you want to continue the operation, select Continue. Then, the list of group names and user names that have access to this key file appears in the Permissions dialog box.
- Select Add. Then, the Select Users, Computers, Service Accounts, or Groups dialog box appears.
- Type LOCAL SERVICE, and then select Check Names.
- Select OK.
- Type IIS_USRS, and then select Check Names
- Select OK
- Make sure you give both of them FULL CONTROL