Forefront Threat Management Gateway 2010 services do not start as expected when the FTMG 2010 servers are in a workgroup array

Article ID: 2659700 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • You create an array of servers that are running Microsoft Forefront Threat Management Gateway (FTMG) 2010.
  • The server array is in a workgroup.
  • You restart the servers in the array.
In this scenario, the FTMG 2010 services may not start automatically as expected. One or more of the following messages may be logged in the System log in Event Viewer:
Event Type: Error
Event ID: 7022
Description:
The Microsoft Forefront TMG Control service hung on starting.

Event Type: Error
Event ID: 7001
Description:
The Microsoft Forefront TMG Firewall service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error:
After starting, the service hung in a start-pending state

Event Type: Error
Event ID: 7001
Description:
The Microsoft Forefront TMG Managed Control service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error:
After starting, the service hung in a start-pending state.

Event Type: Error
Event ID: 7001
Description:
The Microsoft Forefront TMG Job Scheduler service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error:
After starting, the service hung in a start-pending state.

Back to the top | Give Feedback

CAUSE

This issue can occur if one or more certificates in the Personal store on the local computer have the "Client Authentication" usage type.
Back to the top | Give Feedback

RESOLUTION

To resolve this issue, make the FTMG Control service dependent on the KeyIso service. To do this, follow these steps:
  1. Click Start, click All Programs, click Accessories, and then right-click Command Prompt.
  2. Click Run as administrator.

    Note If you are prompted for an administrator password or for confirmation, type the password or provide confirmation.
  3. At the command prompt, type the following command, and then press Enter:
    sc config isactrl depend= RasMan/SSTPSVC/FwEng/ISASTG/bfe/mpssvc/HTTP/KeyIso
Note The FTMG Control services dependencies are reset to the default settings when you install an FTMG 2010 update. For example, the FTMG Control services dependencies are reset to the default settings when you install a service pack or a rollup. Therefore, you must repeat the steps in this section when you install an FTMG update.
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top | Give Feedback

MORE INFORMATION

When an FTMG 2010 server array is in a workgroup, the array communicates with the Configuration Storage Server by using the Lightweight Directory Access Protocol over Secure Sockets Layer (LDAPS). When an FTMG server is restarted, the Forefront TMG Control server tries to connect to the Configuration Storage Server to obtain configuration information. The Secure Sockets Layer (SSL) handshake of this connection is managed by the Schannel layer.

Note The Configuration Storage Server is an Active Directory Application Mode (ADAM) instance that FTMG 2010 uses to store configuration information.

If one or more certificates in the Personal store on the local computer have the "Client Authentication" usage type, the Schannel layer makes a call to the NCryptOpenStorageProvider function. This call is made during the SSL handshake to load and initialize a key storage provider for the client certificate private key. The NCryptOpenStorageProvider function also tries to start the KeyIso service.

Note The default startup type for the KeyIso service is "Manual."

The MSDN documentation states that the NCryptOpenStorageProvider function should not be called by a service from the StartService function. Therefore, a deadlock occurs.

To determine whether a certificate in the Personal store on the local computer has the "Client Authentication" usage type, follow these steps:
  1. Open a command prompt on an FTMG 2010 server in the array.
  2. At the command prompt, type the following command, and then press Enter:

    certutil.exe -v -verifystore My
  3. Verify the following certificate information in the output:

    Enhanced Key Usage
    Client Authentication (1.3.6.1.5.5.7.3.2)

Back to the top | Give Feedback

REFERENCES

For more information about the NCryptOpenStorageProvider function, visit the following Microsoft MSDN website:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa376286(v=vs.85).aspx
(http://msdn.microsoft.com/en-us/library/windows/desktop/aa376286(v=vs.85).aspx)
Back to the top | Give Feedback

Properties

Article ID: 2659700 - Last Review: January 10, 2012 - Revision: 1.0
APPLIES TO
  • Microsoft Forefront Threat Management Gateway 2010 Enterprise
  • Microsoft Forefront Threat Management Gateway 2010 Service Pack 1
  • Microsoft Forefront Threat Management Gateway 2010 Service Pack 2
Keywords: 
kbsurveynew kbprb KB2659700
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top