AIM 7.X and Higher IM Client Cannot Log in When Access To C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ Is Restricted

Article:TECH137976  |  Created: 2010-08-18  |  Updated: 2010-08-26  |  Article URL http://www.symantec.com/docs/TECH137976
Article Type
Technical Solution

Product(s)

Issue



AIM 7.X and higher IM clients cannot log in.

 


Error



  • Windows Application Event log shows the following error message:

 

Event Type:     Error

Event Source:   IMLinkage

Event Category: None

Event ID:  4886

Date:      8/16/2010

Time:      2:11:33 PM

User:      BLACKOPS-SIMM\seva_vagodny

Computer:  SV-IMM-8-4-5

Description:

Unable to Initialize SSL Security Context for AIM Protocol.

Possible causes of failures could be:

- Could not find a certificate in the certificate store matching the given thumbprint.

- Installed certificate does not have Private Key marked as exportable.

Please refer the log files for more details.

 

  • IM Manager IMLinkage.log file shows the following error messages:

[|] 0x5bc | 08/02/10 16:12:33 | Error | CACENetworkingService::GetWin32PrivateKey | PFXExportCertStore1, error 80090016[-]

 

 

[|] 0x5bc | 08/02/10 16:12:33 | Error | CACENetworkingService::InitializeWin32SslContext | Couldn't find private key for certificate(0466019d4e401d9e383dbfd56a70424eae3606c8), error 40001[-]

 …

 

[|] 0x5bc | 08/02/10 16:12:33 | Error | AIMServerService::ProtocolSpecificStartService | Unable to Initialize SSL Security Context for AIM Protocol.

Possible causes of failures could be:

- Could not find a certificate in the certificate store matching the given thumbprint.

- Installed certificate does not have Private Key marked as exportable.

Please refer the log files for more details.[-]

 

[|] 0x5bc | 08/02/10 16:12:33 | Error | AIMServerService::ProtocolSpecificStartService | Unable to initialize SSL security context. InitializeSslContext returned:0x40001. SSL will be disabled.[-]

These messages appear immediately after IMLogRelayService service starts up.

Conditions

·        IM Manager IMLogRelayService is not listening on port 443

1.      On the IM Manager computer run the following command from a command prompt.

netstat -anb > netstat.txt

2.      Open the file netstat.txt in a text editor.


Look for LISTENING lines for port 443.

Here is an example:

 TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 3628
[IMLogRelayService.exe]

This line shows that the process IMLogRelayService.exe is listening on all available IPs on port 443.

If there are no lines that show IMLogRelayService.exe process listening on an IP (or 0.0.0.0) for port 443 this condition is met..

·         Service account running IMLogRelayService service does not have create permissions on C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ directory.·         

1.      Download Microsoft Process Monitor tool http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx to the IM Manager Server.

2.      Navigate to the downloaded folder and run Procmon.exe.

3.      Restart IMLogRelayService service.

4.      Save the Process Monitor log File | Save.

5.      Chose All events and Native Process Monitor Format (PML).

6.      Open the file and search for C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\

 If you find a line with Process Name equal to IMLogRelayService.exe and the Path equal to C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f297b602ef8c6bbff0bb187716f1604e_8461fb31-d62f-42bf-814c-78bc0aea071c (the f297b602ef8c6bbff0bb187716f1604e_8461fb31-d62f-42bf-814c-78bc0aea071c  value will vary) and Result equal to ACCESS DENIED, this condition is met.

 


Cause



Permissions on C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ folder do not allow IM Manager service account to create certificate pair keys, which causes the failure for AIM SSL initialization. Both Certificate services and Internet Explorer use this folder.  See Microsoft KB for more details Default permissions for the MachineKeys folders. 


Solution



 

Give the required account READ access to the file specified in the error message.

  1. Right click on the filename.
  2. Select Properties.
  3. Click the Security tab.
  4. Click the Add... button.
  5. Click the Locations... button.
  6. Select the local machine.
  7. Enter the account name as found from the procmon output (see above).
  8. Click Check Names button. The name should be found.
  9. Click OK. Click OK.

 




Article URL http://www.symantec.com/docs/TECH137976


Terms of use for this information are found in Legal Notices