Common problem with SharePoint 2010: System.Security.Cryptography.CryptographicException – Keyset does not exist

SharePoint 2010 has a new feature which recycles the OWSTIMER.EXE process every night – similar to the application pool functionality in IIS – to avoid memory problems inside the timer service.

The recycling is controlled by a new timer job which has been added in SharePoint 2010: the “Timer Service Recycle” job which per default runs once a day at 6 AM.

While performing the recycling and shutting down the timer service the timer service runs into a problem in .NET which Tess Ferrandez has explained here.

The problem here is that the encryption key was created on a specific thread which was impersonated under a specific users account. When the .NET Finalizer processes the encryption key while the timer service shuts down it executed on a different thread which is not impersonated – so the key does not exist and you get an exception like “keyset does not exist”.

As this exception occurs in the final stages of the shutdown of the process it does not cause any harm – beside adding an event to the event log when it happens:

 

Eventlog Error

An unhandled exception occurred and the process was terminated.
Application ID: DefaultDomain
Process ID: 4213
Exception: System.Security.Cryptography.CryptographicException

Message: Keyset does not exist

StackTrace:    at System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr) 
   at System.Security.Cryptography.SafeProvHandle._FreeCSP(IntPtr pProvCtx) 
   at System.Security.Cryptography.SafeProvHandle.ReleaseHandle() 
   at System.Runtime.InteropServices.SafeHandle.InternalFinalize() 
   at System.Runtime.InteropServices.SafeHandle.Dispose(Boolean disposing) 
   at System.Runtime.InteropServices.SafeHandle.Finalize()

  

A more visible problem for a customer will occur when Visual Studio or a another JIT Debugger is installed on the affected box. In this case the following dialog will show up on the Console when the problem occurs:

Uninstalling Visual Studio will not resolve this issue as the registry settings which present this dialog are still active.

To configure the server to no longer show a dialog when an unhandled exception occurs, use the registry editor to delete the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger

On a 64-bit operating system also delete the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger

More details are at:
http://msdn.microsoft.com/en-us/library/5hs4b7a6(VS.80).aspx

18 Comments


  1. Thanks.  This has been slightly annoying.

    Reply

  2. Hi Stefan

    I am pretty sure you'll help me on this one. I always get an error which is more or less the same as the one on this blog.

    Error details:

    An unhandled exeption

    ('System.ServiceModel.EndPointNotFoundExeption')  occured in OWSTIMER.EXE [5452].

    Please help!

    Regards,

    Sepaka – South Africa

    Reply

  3. Hi Sepaka,

    This error comes when you don't have "Forefront Identity Manager Service" started. Just go to services.msc console and start the Forefront Identity Manager Service. This error will go.

    Hope this helps,

    Anupam

    Reply

  4. I'm really bothered by the suggested solution – hiding the debugger popup doesn't solve the problem; it just masks it. And there may be other reasons a user wants the JIT debugger available.

    Given your position, may I politely recommend coming up with a solution to clear the keyset? The articles you reference are talking about when custom code creates a keyset and don't clean up after themselves; but it seems that in this case SharePoint is doing it. So take the time to figure out *why* SharePoint is doing it, and how we out here can clean up after it.

    Thanks.

    Reply

  5. Hi Philo,

    I'm not exactly sure what you mean.

    The keyset exists in memory of OWSTIMER.EXE. During shutdown of this process the keyset should be cleaned up to avoid the problem but it is not to avoid the exception. After the process is terminated the keyset no longer exists – so there is nothing to be cleaned up.

    Cheers,

    Stefan

    Reply

  6. Hi Stefan,

    Thanks for your solution but my system show me ('System.Security.Cryptography.CryptographicException') in OWSTIMER.EXE [6832]. What do you think about this?

    br

    Rober

    Reply

  7. Hi Rober,

    what exactly do you mean? That is exactly the message I talked about in this article.

    Cheers,

    Stefan

    Reply

  8. "This error comes when you don't have "Forefront Identity Manager Service" started. Just go to services.msc console and start the Forefront Identity Manager Service. This error will go. -Anupam"

    I am getting this error and Forefront Identity Manager Service is running on my box.

    Reply

  9. @Scott: correct. The error is not related to FIM.

    Reply

  10. I had the same question as Rober. My error is "An unhandled exception:

    (‘System.Security.Cryptography.Cryptographicexception’) occurred in OWSTIMER.EXE [1620])

    "

    Note his error number was 6832, mine is 1620, and further I have never received a message related to "KeySet does not exist". So are all these actually the same error despite the different error numbers?

    Reply

  11. Hi Barkingdog,

    I assume you are talking about the dialog box. The dialog box does not talk about the keyset.

    The number in "[" "]" is the process id. So that will be different any time you get it.

    Cheers,

    Stefan

    Reply

  12. Hi Stefan,

    Is there any side effect if we delete those two registry keys?

    Reply

  13. Hi Chen,

    yes – the Debugger will no longer kick in when an application crashes.

    So if this is your development machine and you would like to debug application crashes you should Keep the registry keys.

    Cheers,

    Stefan

    Reply

  14. Wondering if this has been resolved in a CU or Service Pack? Seems like the root cause is simply a missing try block?

    Reply

  15. I agree, this is a terrible "solution." A good solution would include either how to get the key to exist for the .NET Finalizer or to have the processes not care about the key if it's not necessary in this context.

    Reply

  16. Hi Stefan,

    The error message that you have mentioned in your post is the exact error i am getting in my event viewer.

    But the problem is i don't have Visual Studio installed in the server.
    This event ID is generated only on Sunday after the "Timer Service Recycle Job" is completed. I have changed the "Timer Service Recycle" time to 6pm and even started the protected storage service. What can be the solution then?

    Thanks,
    Ashwin

    Reply

  17. Hi Ashwin,
    afaik you cannot prevent the event log entry – just ignore it.
    You can only prevent the popup to show up.
    Cheers,
    Stefan

    Reply

Leave a Reply to Scott Marcus Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.