When we spend two weeks trying to resolve an issue that affects multiple servers it is worth documenting its solution. But not only to jot down a 2 liner, but to clearly lay out a detailed process. This saves our successors time and headaches down the road. Here we discuss Event 36870 Schannel 10001 – A fatal error occurred and how to resolve it. So without further ado, let’s begin…
The Problem
“A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from cryptographic module is 0x8009030D. The internal error state is 10001.”
This error message has been filling up the logs for months, occurring anywhere between 25-minute intervals on one server and 5 minutes on another.
The Cause
The cause of event 36870 A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from cryptographic module is 0x8009030D. The internal error state is 10001. in our case has to do with with a file permission issue. That is, the NETWORK SERVICE account is missing permissions on a file in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.
The Solution
To resolve Event 36870 Schannel 10001 – A fatal error occurred we need to grant the NETWORK SERVICE account proper permissions on the file in question. In order to find which file has the wrong permissions we use a tool named Process Monitor.
1. Download procmon, copy it to the server in question, unzip and launch it.
2. Let procmon actively monitor until the next error occurs in the System event log. Then pause the monitoring and save the log to CSV file. Find the offending MachienKeys file.
3. Grant NETWORK SERVICE permissions on the file using PowerShell Administrator console.
icacls "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\filename" /grant *S-1-5-20:RX
Note: you may need to take ownership of the file if you are unable to change its permissions.
takeown /F "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\filename"
If this actually helped resolve your issue, please leave a comment below…
12 thoughts on “Event 36870 Schannel 10001 – A fatal error occurred”
perfecto
Thank you. You’re awesome.
Thank you, saved me more than once!
Thanks, added the rights trough explorer after finding the correct file, that did the trick.
Thank you. You’re awesome. Perfect
Dude, went through so many different forums trying to figure out what went wrong, and this fixed it right up!
Excellent post! In our case it was the user account missing the access right.
Thanks for the information, it helped.
This was perfect. Fixed our issue. Would still like to know the root cause, however. Does anybody have any insight was to way may cause this seemingly random issue?
This happened to us today. Brand-new RDS 2-host farm – just built it 2 weeks ago. One host started throwing this error as of this morning while the other still works fine. I added the file permission for NETWORK SERVICE and it’s back to normal again.
We were unable to connect to servers through the RD Gateway. The direct access worked but the connection appeared to break at the broker. This error was on the broker, seemingly unrelated.
Fixed this issue and the connections worked again. (Thank you)
This helped me as well .. afterwards I discovered that the default Identity for new apppools was a service user on the wrong domain – thanks for getting me on the right track.