This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

IWA Keyset does not exist

Article Number

000068084

Applies To

RSA Product Set: RSA SecurID Access
RSA Product/Service Type: Identity Router
O/S Version:

Issue

End users are unable to log in to their Application Portal or perform SSO login to applications with IWA. When the users try to log in using their usernames and passwords they succeed, thus it is not an issue with the portal itself.

They are seeing error Keyset does not exist and hangs on that page
Image descriptionImage description
In the Event viewer, you will notice the error below:

Image descriptionImage description

 

Cause

This problem occurs because the LOCAL SERVICE & the IIS_USRS accounts don't have Full Control access on the Machinekeys Folder and specifically on the iisWasKey below:
 

6de9cb26d2b98c01ec4e9e8b34824aa2_GUID

iisConfigurationKey

d6d986f09a1ee04e24c949879fdb506c_GUID

NetFrameworkConfigurationKey

76944fb33636aeddb9590521c2e8815a_GUID

iisWasKey


that is located in the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

Resolution

To resolve this problem, follow these steps:

  1. Locate the Folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.
  2. Right-click the Machine Keys folder, and then select Properties.
  3. Select the Security tab, and then select Edit. If you're asked whether you want to continue the operation, select Continue. Then, the list of group names and user names that have access to this key file appears in the Permissions dialog box.
  4. Select Add. Then, the Select Users, Computers, Service Accounts, or Groups dialog box appears.
  5. Type LOCAL SERVICE, and then select Check Names.
  6. Select OK.
  7. Type IIS_USRS, and then select Check Names
  8. Select OK
  9. Make sure you give both of them FULL CONTROL 

 
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2023-02-02 09:51 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.