What could cause IIS7 to reject binding to certificates that don't allow private key export?

3

A while ago I tried installing a certificate into IIS7 on an new Windows 2008 server at work. The import went well but when I tried to bind a site to use the new certificate I got a dialog box with the following message:

There was an error while performing this operation.

A specified logon session does not exist. 
It may already have been terminated.
(Exception from HRESULT: 0x80070520)

I managed to find a workaround (and blogged about it). Explicitly checking the "Allow this certificate to be exported" checkbox made the problem go away. I'm a bit anxious though since I think I'd rather not have the private key be exportable.

Besides my blog entry there's a couple of references to this problem but none specify a clear solution as to why this problem occurs.

Does anyone know why this is?

windows-server-2008
iis
iis-7
asked on Server Fault Apr 30, 2009 by Markus Olsson

1 Answer

1

Which keystore did you install the certificate into? If you right-clicked on the PFX file and selected 'install' then the answer is your user account's personal store.

Certificates for IIS should be installed in the local computer keystore. The best way to do this is by using the Certificates MMC snap-in.

MMC > Add/Remove Snap-In > Certificates > Computer account

I've never received the error you posted, but there's a good chance IIS 7 is smart enough to export the certificate from your User account to the Computer account where it belongs.

Does EventViewer provide any additional information about which logon it's trying to access?

answered on Server Fault May 5, 2009 by Mike Haboustak • edited May 5, 2009 by Mike Haboustak

User contributions licensed under CC BY-SA 3.0