Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Forefront Threat Management Gateway 2010 services do not start as expected when the FTMG 2010 servers are in a workgroup array

Forefront Threat Management Gateway 2010 services do not start as expected when the FTMG 2010 servers are in a workgroup array

View products that this article applies to.

Symptoms

Consider the following scenario:
  • You create an array of servers that are running Microsoft Forefront Threat Management Gateway (FTMG) 2010.
  • The server array is in a workgroup.
  • You restart the servers in the array.
In this scenario, the FTMG 2010 services may not start automatically as expected. One or more of the following messages may be logged in the System log in Event Viewer:
Event Type: Error
Event ID: 7022
Description:
The Microsoft Forefront TMG Control service hung on starting.

Event Type: Error
Event ID: 7001
Description:
The Microsoft Forefront TMG Firewall service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error:
After starting, the service hung in a start-pending state

Event Type: Error
Event ID: 7001
Description:
The Microsoft Forefront TMG Managed Control service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error:
After starting, the service hung in a start-pending state.

Event Type: Error
Event ID: 7001
Description:
The Microsoft Forefront TMG Job Scheduler service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error:
After starting, the service hung in a start-pending state.

↑ Back to the top

Cause

This issue can occur if one or more certificates in the Personal store on the local computer have the "Client Authentication" usage type.

↑ Back to the top

Resolution

To resolve this issue, make the FTMG Control service dependent on the KeyIso service. To do this, follow these steps:
  1. Click Start, click All Programs, click Accessories, and then right-click Command Prompt.
  2. Click Run as administrator.

    Note If you are prompted for an administrator password or for confirmation, type the password or provide confirmation.
  3. At the command prompt, type the following command, and then press Enter:
    sc config isactrl depend= RasMan/SSTPSVC/FwEng/ISASTG/bfe/mpssvc/HTTP/KeyIso
Note The FTMG Control services dependencies are reset to the default settings when you install an FTMG 2010 update. For example, the FTMG Control services dependencies are reset to the default settings when you install a service pack or a rollup. Therefore, you must repeat the steps in this section when you install an FTMG update.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

When an FTMG 2010 server array is in a workgroup, the array communicates with the Configuration Storage Server by using the Lightweight Directory Access Protocol over Secure Sockets Layer (LDAPS). When an FTMG server is restarted, the Forefront TMG Control server tries to connect to the Configuration Storage Server to obtain configuration information. The Secure Sockets Layer (SSL) handshake of this connection is managed by the Schannel layer.

Note The Configuration Storage Server is an Active Directory Application Mode (ADAM) instance that FTMG 2010 uses to store configuration information.

If one or more certificates in the Personal store on the local computer have the "Client Authentication" usage type, the Schannel layer makes a call to the NCryptOpenStorageProvider function. This call is made during the SSL handshake to load and initialize a key storage provider for the client certificate private key. The NCryptOpenStorageProvider function also tries to start the KeyIso service.

Note The default startup type for the KeyIso service is "Manual."

The MSDN documentation states that the NCryptOpenStorageProvider function should not be called by a service from the StartService function. Therefore, a deadlock occurs.

To determine whether a certificate in the Personal store on the local computer has the "Client Authentication" usage type, follow these steps:
  1. Open a command prompt on an FTMG 2010 server in the array.
  2. At the command prompt, type the following command, and then press Enter:

    certutil.exe -v -verifystore My
  3. Verify the following certificate information in the output:

    Enhanced Key Usage
    Client Authentication (1.3.6.1.5.5.7.3.2)

↑ Back to the top

References

For more information about the NCryptOpenStorageProvider function, visit the following Microsoft MSDN website:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa376286(v=vs.85).aspx

↑ Back to the top

Keywords: kbsurveynew, kbprb, kbentirenet, kb

↑ Back to the top

Article Info
Article ID : 2659700
Revision : 1
Created on : 1/7/2017
Published on : 1/10/2012
Exists online : False
Views : 302