Fix the Keyset does not exist NTE_BAD_KEYSET error in IIS. Learn why machine keys break, why iissetup fails, and the proven recovery steps. Our 24/7 Live Support Team is always here to help you.
If you manage IIS servers long enough, you will eventually hit a wall called Keyset does not exist NTE_BAD_KEYSET. It usually shows up at the worst possible time, right when you’re changing an application pool identity to a domain account. You click OK, and IIS fires back with a cryptic HRESULT error. No guidance. No mercy.
At first glance, it looks like a permissions issue. However, that assumption wastes hours. In reality, this error points to something deeper and more dangerous: corrupted machine key providers.
Let’s break this down properly.
Overview
Why Keyset Errors Keep Coming Back
When IIS encrypts and stores sensitive data, like application pool credentials, it relies on machine-level cryptographic keys. If those keys go bad, IIS cannot decrypt stored secrets anymore.
As a result, you’ll see repeated exceptions like:
- Keyset does not exist (0x80090016)
- NTE_BAD_KEYSET
- Followed by Value does not fall within the expected range (0x80070005)
At this stage, restarting IIS or resetting credentials won’t help. Even worse, running the standard repair command may fail entirely.
Why iissetup.exe Sometimes Fails
Microsoft’s official workaround suggests regenerating keys using:
%windir%\system32\inetsrv\iissetup.exe /install SharedLibrariesHowever, when the underlying keys themselves are corrupted, this command throws:
Value does not fall within the expected rangeThat’s the moment most admins get stuck.
And that’s exactly why Keyset does not exist NTE_BAD_KEYSET becomes a recurring nightmare instead of a one-time fix.
The Fix That Actually Works (Tested in Production)
Instead of regenerating broken keys, you must replace them.
Export keys from a healthy server
Use a working IIS server with the same Windows and IIS version.
Run these commands:
aspnet_regiis.exe -pri -px "iisConfigurationKey" "c:\iisconfigkey.xml"
aspnet_regiis.exe -pri -px "NetFrameworkConfigurationKey" "c:\netframework.xml"
aspnet_regiis.exe -pri -px "iisWasKey" "c:\iiswas.xml"Run them from all four locations:
C:\Windows\Microsoft.NET\Framework64\v2.0.50727
C:\Windows\Microsoft.NET\Framework64\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v2.0.50727
C:\Windows\Microsoft.NET\Framework\v4.0.30319Import keys into the broken server
Copy the XML files to the affected server and run:
aspnet_regiis.exe -pi "iisConfigurationKey" "c:\iisconfigkey.xml" -exp
aspnet_regiis.exe -pi "NetFrameworkConfigurationKey" "c:\netframework.xml" -exp
aspnet_regiis.exe -pi "iisWasKey" "c:\iiswas.xml" -expAgain, execute these in all four framework folders listed above.
Recover IIS Crypto Failures Fast
Regenerate providers cleanly
Before proceeding:
- Back up the MachineKeys folder
- Back up applicationHost.config
- Remove the <providers> section under <configProtectedData>
Now run:
%windir%\system32\inetsrv\iissetup.exe /install SharedLibrariesAt this point, IIS can finally rebuild clean providers.
Final Verification
Now try changing the application pool identity again. In almost every case, the Keyset does not exist NTE_BAD_KEYSET error disappears instantly.
More importantly, it stays gone.
Conclusion
This issue isn’t rare. It’s just poorly explained across most blogs. Once keys are corrupted, regeneration alone won’t save you. Replacement will.
If you see Keyset does not exist NTE_BAD_KEYSET more than once on the same server, don’t gamble with partial fixes. Follow the full recovery path above and end the loop for good.
