none
Getting "A specified logon session does not exist. It may already have been terminated." while binding SSL certificates from a second server

    Question

  • Hi All,

    I've recently purchased a new wildcard SSL certificate to be installed on a pair of load-balanced web servers. Although the certificate is working fine of the first server, I am constantly getting the error:

    A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)

    Reading around, this would suggest that the key was not marked as exportable during the import. So I set about re-importing the
    certificate , but to no avail. I tried to remove the certificate , and re-importing it, but again had the same problem (as I understand it now, deleting a certificate does not remove the private key). I managed to export the certificate with private key and delete the private key from the second server (which would indicate that the key was indeed exportable) then re-imported that... again the same problem.

    In a last-ditched attempt, I remove the entries in the registry for HKLM\SOFTWARE\Microsoft\SystemCertificates\My\Keys, rebooted the server and re-imported the certificate, and again, no change. What was interesting is running "certutil.exe export.pfx" still showed the "Private key is NOT exportable" despite the private key (in theory) no longer being around. I'm not sure if that is related to the IIS error, as this occured before I re-imported the key.

    I have attempted to import the key via IIS Manager, The Certificate MMC Snap-in (Local Machine) and via the commandline (certutil -importpfx) and none-of the options work.

    I'm not sure if there is a hidden flag somewhere that is marking the private-key as non-exportable and thus causing IIS a headache and that setting is obscured. I would like to know if there's a way of completely removing references to a certificate and private key combination, including removing any references that mark a certificate as not-exportable (not to change it, just remove the reference) to see if that resolves the problem.

    Alternatively, if someone knows what to resolve the main problem, that'd be prefered. Just to re-iterate, this applies to importing the certificate on the second server WITH "enable exports" options selected.

    Thanks


    Dan
    Friday, September 25, 2009 10:15 AM

Answers

  • The keys are stored in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, you can check permissions there, but be very careful on what you do. It is quite easy to mess up things there.

    Check the Key containers/Unique container name IDs from certutil -v -dump, they should describe the name of a private key associated to certificate. 

    I would suggest to do following

    1) Remove the "non-working" certificate from MMC | Certificates | Local computer | Personal
    2) Import usiing MMC
    3) Try to assign binding

    If this fails, check

    certutil -v -store my cert_hash_of_non_working_cert  (e.g. certutil -v -store my aac000ba4d663753ecbc80c082fd1feb2e2b4a11)

    and check for Key containers / Unique container name IDs. If you can find files in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys with name equivalent to key container id check for the ACLs.

    Martin

    • Marked as answer by Dan_Serenity Friday, September 25, 2009 2:30 PM
    Friday, September 25, 2009 1:35 PM
  • Thanks for the suggestion, I haven't tried that as been on the phone with the CA to get a re-issue against a new CSR which has worked. I highly suspect that the MachineKeys could very well have been the issue.

    Thanks for your suggestions.
    Dan
    • Marked as answer by Dan_Serenity Friday, September 25, 2009 2:30 PM
    Friday, September 25, 2009 2:30 PM

All replies

  • Hi,

    1) When you export the certificate (from a machine where it is installed) do you export also the private key? Also what method do you use for exporting the certificate?
    2) If you open "MMC | Certificates | Local computer" do you see the certificate? If you double click the certificate can you see text "You have a private key that corresponds to this certificate"? What do you see on first / second server.
    3) (On the server where the cert isn't working) Have you set correct bindings using IIS manager (are you sure that you have assigned correct IIS certificate)?


    Martin
    Friday, September 25, 2009 11:49 AM
  • Hi Martin,

    1) It definatly has the private key, also the certificate path (So the Root CA/Intermediate is also included). I've just done a test on a third spare server, and that has imported the certificate and key from the same .pfx file we used and that was able to be bound to IIS succesfully. Which only adds to the confusion.

    2) We have the certificate on both, and it is showing "You have a private key that corresponds to this certificate" on both servers.

    3) That's the problem, we can't set the bindings on the second server. When I select the site in IIS Manager and select "Edit Site -> Bindings..." from the right, I can add a https binding on either "All Unassigned" IPs (as per the first server) or the server specific IP, on port 443 (no other sites are bound to port 443 or using https) and selecting the wildcard SSL Certificate (e.g. *.domain.com). Click OK at this point and the error above comes up.

    We're trying to get a new CSR signed from the second server and reverse the process (i.e. CSR on second server, complete on second server, export from second server and import to first server).
    Dan
    Friday, September 25, 2009 12:00 PM
  • Hi

    I've managed to reproduce the error, here is what I did

    1) Export the certificate / delete the private key
    2) Import the certificate using IIS manager without selecting checkbox "Allow this certificate to be exported"

    Afterwards I'm unable to
    1) Assign the binding
    2) Manage private key through "MMC | Certificates | Local computer" selecting certificate "All tasks | Manage private keys ..."
    3) Run as elevated user (administrator) command: certutil -repairstore my cert_hash

    However when I import the certificate using "MMC | Certificates | Local computer | Personal" selecting "All tasks | Import ...", I'm able to assign and use certificate (also if it is imported without exportable option).



    Martin
    Friday, September 25, 2009 12:57 PM
  • When I uses the MMC Import described, I still get the problem. I suspect something is being cached somewhere and the certificate/key isn't being completely removed, hence when I attempt to re-import it, there's the lingering problem.

    Dan
    Friday, September 25, 2009 1:01 PM
  • The keys are stored in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, you can check permissions there, but be very careful on what you do. It is quite easy to mess up things there.

    Check the Key containers/Unique container name IDs from certutil -v -dump, they should describe the name of a private key associated to certificate. 

    I would suggest to do following

    1) Remove the "non-working" certificate from MMC | Certificates | Local computer | Personal
    2) Import usiing MMC
    3) Try to assign binding

    If this fails, check

    certutil -v -store my cert_hash_of_non_working_cert  (e.g. certutil -v -store my aac000ba4d663753ecbc80c082fd1feb2e2b4a11)

    and check for Key containers / Unique container name IDs. If you can find files in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys with name equivalent to key container id check for the ACLs.

    Martin

    • Marked as answer by Dan_Serenity Friday, September 25, 2009 2:30 PM
    Friday, September 25, 2009 1:35 PM
  • Thanks for the suggestion, I haven't tried that as been on the phone with the CA to get a re-issue against a new CSR which has worked. I highly suspect that the MachineKeys could very well have been the issue.

    Thanks for your suggestions.
    Dan
    • Marked as answer by Dan_Serenity Friday, September 25, 2009 2:30 PM
    Friday, September 25, 2009 2:30 PM
  • Dan,
    Remember that you do *not* need the same SSL certificate on both endpoints. In fact, it really does nothing for you (other than it is cheaper <G>).
    If you were to drop the connection to the first node, and the client had to connect with the second node, a separate SSL connection is established (new three way handshake, new pre-master key, new SSL encryption key).

    Brian
    Sunday, September 27, 2009 12:30 PM
  • Your three steps did resolve the issue for me. Thank you.

    But this would mean there is still a bug in IIS, causing the "Server certificates" dialog to not do its importing in a proper way when the checkbox is cleared. I'm using IIS 7.5 on Windows Server 2008 R2.

    Magnus

    Wednesday, May 12, 2010 7:29 AM
  • I had the same problem. Two nodes in NLBS. I created CSR for a wildcard certificate on the first node and finished certificate creation on this server. Then I exported it to PFX and imported on the second node with the checkbox "Exportable private key" unchecked.

    I was not able to set proper SSL bindings on the second node - the same error message.

    So I deleted this certificate in MMC, Certificates (Local Computer), Personal, Certificates and imported PFX again in IIS Manager, this time with "exportable private key" checked. After that I was able to finish SSL bindings on the second node.

    I agree there is a bug in IIS 7.0/7.5. Common security practice is to import PFX (created somewhere else) WITHOUT the possibility to export  certificate with private key on the web server. There was no problem with this practice on W2003 NLBS web nodes with IIS6.

    Radek

    Friday, June 25, 2010 1:16 PM
  • On Windows 7, this worked:

     

    makecert -sk MyCert -ss MY -sr LocalMachine -n CN=mycompany.com -sky exchange -r

    Succeeded

     

    The above certificate shows up in MMC (need to add the snap in for Certifcates) under Certificates..Personal..Certificates

    (I could then bind this to a WCF listener using netsh http add sslcert ipport=0.0.0.0:54404 certhash=2ff17e7

    eea5860f428f05e25a8e3b39b32c7b5df appid={my-appid-guid})

     

    and this makecert did not work:

     

    makecert -sk MyCert -ss MyNamedCertStore -sr LocalMachine -n CN=mycompany.com -sky exchange -r

    SSL Certificate add failed, Error: 1312

    A specified logon session does not exist. It may already have been terminated.

     

     

    Thursday, October 27, 2011 10:44 PM
  • Martin & Dan, you saved me much time with your posts. That fixed my "A specified logon session does not exist" cert bind errors in IIS 7 (win server 2008 r2) as well. I also had imported a wild card cert and unchecked the default "Allow this certificate to be exported". I was able to delete and reimport just through IIS and didn't have to resort to registry or certutil.

    Thanks!

    Judith

    Monday, November 28, 2011 7:57 PM
  • Excellent Info!  fwiw, I had the same problem after cloning/sysprep'ing web servers.  I simply *deleted the existing certifcate via mmc certificate manager.  Next, I imported the certificate back into the server via mmc certificate manager (Local Computer/Personal store).  In IIS indings I then added the certificate back to the web server and voila!  everything woked fine.  Thank you!

    *this assumes that you have the existing certificate stored somewhere!  :)

    Tuesday, February 21, 2012 1:04 PM
  • Hi Dan,

    I had a similar issue. We bought a new extended certificate (the same domain next two years) and I was not able to use it in https binding dialog with the same error you described.

    I found that the problem is the old certificate. I deleted it from "IIS - Server Certificates" but I was still able to see it in "Current user - Personal" certificates. After I deleted the old one from the personal certificates I was able to use a new one in https binding.

    Pavel

    Friday, July 13, 2012 7:28 AM
  • Thanks! This was my issue, I didn't check Allow this certificate to be exported. I deleted the cert, re-imported it with that option, and it now works!
    Thursday, April 11, 2013 7:45 PM