Forefront Threat Management Gateway 2010 services do not start as expected when the FTMG 2010 servers are in a workgroup array

Symptoms

Consider the following scenario:

• You create an array of servers that are running Microsoft Forefront Threat Management Gateway (FTMG) 2010.

• The server array is in a workgroup.

• You restart the servers in the array.

In this scenario, the FTMG 2010 services may not start automatically as expected. One or more of the following messages may be logged in the System log in Event Viewer:

Cause

This issue can occur if one or more certificates in the Personal store on the local computer have the "Client Authentication" usage type.

Resolution

To resolve this issue, make the FTMG Control service dependent on the KeyIso service. To do this, follow these steps:

1. Click Start, click All Programs, click Accessories, and then right-click Command Prompt.

2. Click Run as administrator.
   
   Note If you are prompted for an administrator password or for confirmation, type the password or provide confirmation.

3. At the command prompt, type the following command, and then press Enter:

   sc config isactrl depend= RasMan/SSTPSVC/FwEng/ISASTG/bfe/mpssvc/HTTP/KeyIso

Note The FTMG Control services dependencies are reset to the default settings when you install an FTMG 2010 update. For example, the FTMG Control services dependencies are reset to the default settings when you install a service pack or a rollup. Therefore, you must repeat the steps in this section when you install an FTMG update.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

When an FTMG 2010 server array is in a workgroup, the array communicates with the Configuration Storage Server by using the Lightweight Directory Access Protocol over Secure Sockets Layer (LDAPS). When an FTMG server is restarted, the Forefront TMG Control server tries to connect to the Configuration Storage Server to obtain configuration information. The Secure Sockets Layer (SSL) handshake of this connection is managed by the Schannel layer.

Note The Configuration Storage Server is an Active Directory Application Mode (ADAM) instance that FTMG 2010 uses to store configuration information.

If one or more certificates in the Personal store on the local computer have the "Client Authentication" usage type, the Schannel layer makes a call to the NCryptOpenStorageProvider function. This call is made during the SSL handshake to load and initialize a key storage provider for the client certificate private key. The NCryptOpenStorageProvider function also tries to start the KeyIso service.

Note The default startup type for the KeyIso service is "Manual."

The MSDN documentation states that the NCryptOpenStorageProvider function should not be called by a service from the StartService function. Therefore, a deadlock occurs.

To determine whether a certificate in the Personal store on the local computer has the "Client Authentication" usage type, follow these steps:

1. Open a command prompt on an FTMG 2010 server in the array.

2. At the command prompt, type the following command, and then press Enter:
   
   certutil.exe -v -verifystore My

3. Verify the following certificate information in the output:
   
   Enhanced Key Usage
   Client Authentication (1.3.6.1.5.5.7.3.2)

References

For more information about the NCryptOpenStorageProvider function, visit the following Microsoft MSDN website:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa376286(v=vs.85).aspx