All agents staying in 'Unknown' status, error "Failed to generate key" in logs. (NETIQKB72360)

  • 7772360
  • 26-May-2010
  • 06-Mar-2012


SM 6.5


All agents are showing as Unknown.
There are no events being seen.
There are errors in "C:\Documents and Settings\All Users\Application Data\NetIQ\Security Manager\Log Files\NqSmSvc.txt" such as: "ERROR Workflow.Crypt: CNqCryptKey::GenerateKey - Failed to generate key, code 5, reason: Access is denied."


Configuring Permissions for Default Central Computer Authentication

By default, when you install a Security Manager central computer, the setup program creates a self-signed certificate and installs the certificate and corresponding private key in the LocalMachine > NetIQ Security Manager certificate store. Members of the Administrators group on the local computer can access the private keys of certificates installed in the LocalMachine store.

In order for Security Manager to function properly, the service account used to run Security Manager must be a member of the local Administrators group on the central computer or otherwise have access to the private key of the self-signed certificate. If the service account cannot access the private key for the default Security Manager certificate, the NetIQ Security Manager service cannot start, and the central computer generates an event 21337 in the Application event log.

To resolve this issue, review the access control list (ACL) of the key container file to ensure the service user has Read and Execute permissions, at minimum. The event 21337 description identifies the key container file name. Check the ACL of the key container file located in the %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys folder to ensure the Security Manager service account has at least Read and Execute permissions. For more information about key containers, see the following article on the Microsoft support site:


The certificate store in has incorrect permissions, preventing the SM Core Service from accessing or using the certificates.

Additional Information

Formerly known as NETIQKB72360