Fix the Keyset does not exist NTE_BAD_KEYSET error in IIS by regenerating corrupted machine keys. Our support team is always here to help you.
Fixing Keyset does not exist NTE_BAD_KEYSET in IIS the Right Way
If you’re running into the Keyset does not exist NTE_BAD_KEYSET error in IIS, especially when updating application pool identity to a domain account, you’re
not alone. This error typically pops up with HRESULT codes like 0x80090016, 0x80090005, or even 0x80070005, and can be incredibly frustrating. The issue is often due to corrupted machine key providers, which makes IIS unable to decrypt the application pool’s stored credentials.
Let’s skip the fluff and walk through a working solution that includes every command and step you need, no guesswork involved.
Why This Error Happens
When you see the error:
Keyset does not exist (Exception from HRESULT: 0x80090016)…it usually means your machine key containers are either corrupted or missing. As a result, the IIS application pool identity settings fail to apply, and attempts to regenerate keys may throw another error like:
Value does not fall within the expected range (0x80070005)How to Fix Keyset Does Not Exist NTE_BAD_KEYSET
You’ll need to fix the machine key providers by importing working keys from a healthy server and regenerating the providers. Below are all the steps you must follow, exactly as they should be run.
Export Keys from a Working Server
Run these commands in all four of the following directories:
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319
- C:\Windows\Microsoft.NET\Framework\v2.0.50727
- C:\Windows\Microsoft.NET\Framework\v4.0.30319
aspnet_regiis.exe -pri -px "iisConfigurationKey" "c:\iisconfigkey.xml"
aspnet_regiis.exe -pri -px "NetFrameworkConfigurationKey" "c:\netframework.xml"
aspnet_regiis.exe -pri -px "iisWasKey" "c:\iiswas.xml"Import the Keys on the Problematic Server
Move the .xml files to the problematic server. Then, run the following in all the same directories:
aspnet_regiis.exe -pi "iisConfigurationKey" "c:\iisconfigkey.xml" -exp
aspnet_regiis.exe -pi "NetFrameworkConfigurationKey" "c:\netframework.xml" -exp
aspnet_regiis.exe -pi "iisWasKey" "c:\iiswas.xml" -expRegenerate the Machine Key Providers
Before doing this, make sure to:
- Take a backup of your machine key folder.
- Also, backup the applicationHost.config file.
- Then, remove the <providers> section under <configProtectedData> from the config file (ref).
Now run:
%windir%\system32\inetsrv\iissetup.exe /install SharedLibrariesFinal Step
Once the above command completes successfully, go back to the IIS Manager or run IIS Express from the command line and try setting the application pool identity again. The Keyset does not exist NTE_BAD_KEYSET error should now be resolved.
Additional Tips
To avoid this issue in the future:
- Ensure proper permissions on the machine keys.
- Check for interference from antivirus or endpoint protection.
- Use the certutil -csplist command to verify the installed Cryptographic Service Providers (CSPs).
- Always double-check any imported .pfx files or certs.
[If needed, Our team is available 24/7 for additional assistance.]
Conclusion
This guide ensures that you’ll never have to battle the Keyset does not exist NTE_BAD_KEYSET error for longer than necessary. Remember, skipping even a single step can bring back the issue, so follow each command precisely.
