When we spend two weeks trying to resolve an issue that affects multiple servers it is worth documenting its solution. But not only to jot down a 2 liner, but to clearly lay out a detailed process. This saves our successors time and headaches down the road. Here we discuss Event 36870 Schannel 10001 – A fatal error occurred and how to resolve it. So without further ado, let’s begin…
“A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from cryptographic module is 0x8009030D. The internal error state is 10001.”
This error message has been filling up the logs for months, occurring anywhere between 25-minute intervals on one server and 5 minutes on another.
The cause of event 36870 A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from cryptographic module is 0x8009030D. The internal error state is 10001. in our case has to do with with a file permission issue. That is, the NETWORK SERVICE account is missing permissions on a file in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.
To resolve Event 36870 Schannel 10001 – A fatal error occurred we need to grant the NETWORK SERVICE account proper permissions on the file in question. In order to find which file has the wrong permissions we use a tool named Process Monitor.
1. Download procmon at https://docs.microsoft.com/en-us/sysinternals/downloads/procmon. Copy it to the server in question, unzip and launch it.
2. Let procmon actively monitor until the next error occurs in the System event log. Then pause the monitoring and save the log to CSV file. Find the offending MachienKeys file.
3. Grant NETWORK SERVICE permissions on the file using PowerShell Administrator console.
icacls "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\filename" /grant *S-1-5-20:RX
Note: you may need to take ownership of the file if you are unable to change its permissions.
takeown /F "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\filename"