Symptoms
Consider the following scenario:
- You create an array of servers that are running Microsoft Forefront Threat Management Gateway (FTMG) 2010.
- The server array is in a workgroup.
- You restart the servers in the array.
Event Type: Error
Event ID: 7022
Description:
The Microsoft Forefront TMG Control service hung on starting.
Event ID: 7022
Description:
The Microsoft Forefront TMG Control service hung on starting.
Event Type: Error
Event ID: 7001
Description:
The Microsoft Forefront TMG Firewall service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error:
After starting, the service hung in a start-pending state
Event ID: 7001
Description:
The Microsoft Forefront TMG Firewall service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error:
After starting, the service hung in a start-pending state
Event Type: Error
Event ID: 7001
Description:
The Microsoft Forefront TMG Managed Control service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error:
After starting, the service hung in a start-pending state.
Event ID: 7001
Description:
The Microsoft Forefront TMG Managed Control service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error:
After starting, the service hung in a start-pending state.
Event Type: Error
Event ID: 7001
Description:
The Microsoft Forefront TMG Job Scheduler service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error:
After starting, the service hung in a start-pending state.
Event ID: 7001
Description:
The Microsoft Forefront TMG Job Scheduler service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error:
After starting, the service hung in a start-pending state.
Cause
This issue can occur if one or more certificates in the Personal store on the local computer have the "Client Authentication" usage type.
Resolution
To resolve this issue, make the FTMG Control service dependent on the KeyIso service. To do this, follow these steps:
- Click Start, click All Programs, click Accessories, and then right-click Command Prompt.
- Click Run as administrator.
Note If you are prompted for an administrator password or for confirmation, type the password or provide confirmation. - At the command prompt, type the following command, and then press Enter:sc config isactrl depend= RasMan/SSTPSVC/FwEng/ISASTG/bfe/mpssvc/HTTP/KeyIso
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More Information
When an FTMG 2010 server array is in a workgroup, the array communicates with the Configuration Storage Server by using the Lightweight Directory Access Protocol over Secure Sockets Layer (LDAPS). When an FTMG server is restarted, the Forefront TMG Control server tries to connect to the Configuration Storage Server to obtain configuration information. The Secure Sockets Layer (SSL) handshake of this connection is managed by the Schannel layer.
Note The Configuration Storage Server is an Active Directory Application Mode (ADAM) instance that FTMG 2010 uses to store configuration information.
If one or more certificates in the Personal store on the local computer have the "Client Authentication" usage type, the Schannel layer makes a call to the NCryptOpenStorageProvider function. This call is made during the SSL handshake to load and initialize a key storage provider for the client certificate private key. The NCryptOpenStorageProvider function also tries to start the KeyIso service.
Note The default startup type for the KeyIso service is "Manual."
The MSDN documentation states that the NCryptOpenStorageProvider function should not be called by a service from the StartService function. Therefore, a deadlock occurs.
To determine whether a certificate in the Personal store on the local computer has the "Client Authentication" usage type, follow these steps:
Note The Configuration Storage Server is an Active Directory Application Mode (ADAM) instance that FTMG 2010 uses to store configuration information.
If one or more certificates in the Personal store on the local computer have the "Client Authentication" usage type, the Schannel layer makes a call to the NCryptOpenStorageProvider function. This call is made during the SSL handshake to load and initialize a key storage provider for the client certificate private key. The NCryptOpenStorageProvider function also tries to start the KeyIso service.
Note The default startup type for the KeyIso service is "Manual."
The MSDN documentation states that the NCryptOpenStorageProvider function should not be called by a service from the StartService function. Therefore, a deadlock occurs.
To determine whether a certificate in the Personal store on the local computer has the "Client Authentication" usage type, follow these steps:
- Open a command prompt on an FTMG 2010 server in the array.
- At the command prompt, type the following command, and then press Enter:
certutil.exe -v -verifystore My - Verify the following certificate information in the output:
Enhanced Key Usage
Client Authentication (1.3.6.1.5.5.7.3.2)
References
For more information about the NCryptOpenStorageProvider function, visit the following Microsoft MSDN website: