Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Symptoms

Consider the following scenario:

  • You create an array of servers that are running Microsoft Forefront Threat Management Gateway (FTMG) 2010.

  • The server array is in a workgroup.

  • You restart the servers in the array.

In this scenario, the FTMG 2010 services may not start automatically as expected. One or more of the following messages may be logged in the System log in Event Viewer:

Event Type: Error
Event ID: 7022
Description:
The Microsoft Forefront TMG Control service hung on starting.


Event Type: Error
Event ID: 7001
Description:
The Microsoft Forefront TMG Firewall service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error:
After starting, the service hung in a start-pending state


Event Type: Error
Event ID: 7001
Description:
The Microsoft Forefront TMG Managed Control service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error:
After starting, the service hung in a start-pending state.


Event Type: Error
Event ID: 7001
Description:
The Microsoft Forefront TMG Job Scheduler service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error:
After starting, the service hung in a start-pending state.


Cause

This issue can occur if one or more certificates in the Personal store on the local computer have the "Client Authentication" usage type.

Resolution

To resolve this issue, make the FTMG Control service dependent on the KeyIso service. To do this, follow these steps:

  1. Click Start, click All Programs, click Accessories, and then right-click Command Prompt.

  2. Click Run as administrator.

    Note If you are prompted for an administrator password or for confirmation, type the password or provide confirmation.

  3. At the command prompt, type the following command, and then press Enter:

    sc config isactrl depend= RasMan/SSTPSVC/FwEng/ISASTG/bfe/mpssvc/HTTP/KeyIso

Note The FTMG Control services dependencies are reset to the default settings when you install an FTMG 2010 update. For example, the FTMG Control services dependencies are reset to the default settings when you install a service pack or a rollup. Therefore, you must repeat the steps in this section when you install an FTMG update.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

When an FTMG 2010 server array is in a workgroup, the array communicates with the Configuration Storage Server by using the Lightweight Directory Access Protocol over Secure Sockets Layer (LDAPS). When an FTMG server is restarted, the Forefront TMG Control server tries to connect to the Configuration Storage Server to obtain configuration information. The Secure Sockets Layer (SSL) handshake of this connection is managed by the Schannel layer.

Note The Configuration Storage Server is an Active Directory Application Mode (ADAM) instance that FTMG 2010 uses to store configuration information.

If one or more certificates in the Personal store on the local computer have the "Client Authentication" usage type, the Schannel layer makes a call to the NCryptOpenStorageProvider function. This call is made during the SSL handshake to load and initialize a key storage provider for the client certificate private key. The NCryptOpenStorageProvider function also tries to start the KeyIso service.

Note The default startup type for the KeyIso service is "Manual."

The MSDN documentation states that the NCryptOpenStorageProvider function should not be called by a service from the StartService function. Therefore, a deadlock occurs.

To determine whether a certificate in the Personal store on the local computer has the "Client Authentication" usage type, follow these steps:

  1. Open a command prompt on an FTMG 2010 server in the array.

  2. At the command prompt, type the following command, and then press Enter:

    certutil.exe -v -verifystore My

  3. Verify the following certificate information in the output:

    Enhanced Key Usage
    Client Authentication (1.3.6.1.5.5.7.3.2)


References

For more information about the NCryptOpenStorageProvider function, visit the following Microsoft MSDN website:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa376286(v=vs.85).aspx

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×