In this article I am covering all the possible scenarios and resolution for a very common error that you may receive when Application Pool Service account is changed or Certificate is renewed and imported in the CRM/ADFS Server environment.
Also, covering details on Private Key folder concept, other issues and troubleshooting related to certificate and WSE X.509 Certificate tool.
While accessing CRM/ADFS federated url , you are getting"Keyset does not exist</"
When you access the federated url, CRM Application pool or ADFS Application pool tries to access the Private Key of the certificate, which is stored locally in the Web server in below location in CRM/ADFS Server
If the private key is missing or there is some permission issue to access MachineKey folder, it throws "Keyset does not exist" error.
The private key is stored in below location in the format of Key_GUID (screenshot below)
Since the service account tries to access Keys, we have to make sure we have given appropriate rights to service account to MachineKeys folder. Also, the right Private Key exists in the MachineKey folder.
In below screenshot I have given full permission on my wildcard certificate *.habib.local to my CRM App Pool account – "habib\CRMAppPoolSvc"
4. Once the permission is given, perform an IISRESET and try accessing the CRM federated url
When we import any certificate, the overall process tries to access location "%ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys " and try to copy the public key file. Now while are performing this certificate import task, there are chances that your currently logged in account is not having sufficient permission to access MachineKeys folder. Due to this you won't see any new public key file getting added to MachineKey folder. In order to isolate/troubleshoot this issue, you can perform below steps:
Navigate to folder, "%ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys " and check the security permission and make sure you have given full control to the logged in account on the MachineKey folder.
Other causes and troubleshooting:
If you have already tried all the troubleshooting steps mentioned in this article, then there are chances that either:
If the MachineKey folder have multiple keys and you would like to verify quickly if the new key file is imported or accessible, you can use Microsoft's WSE X.509 Certificate tool.
How to use Certificate Tool: http://msdn.microsoft.com/en-us/library/aa529278.aspx
5. If there are some permission issues, then you should get error "Private key does not exist or is not accessible"