Environment
SM 6.5
Situation
All agents are showing as Unknown.
There are no events being seen.
There are errors in "C:\Documents and Settings\All Users\Application Data\NetIQ\Security Manager\Log Files\NqSmSvc.txt" such as: "ERROR Workflow.Crypt: CNqCryptKey::GenerateKey - Failed to generate key, code 5, reason: Access is denied."
There are no events being seen.
There are errors in "C:\Documents and Settings\All Users\Application Data\NetIQ\Security Manager\Log Files\NqSmSvc.txt" such as: "ERROR Workflow.Crypt: CNqCryptKey::GenerateKey - Failed to generate key, code 5, reason: Access is denied."
Resolution
Configuring Permissions for Default Central Computer Authentication
By default, when you install a Security Manager central computer, the setup program creates a self-signed certificate and installs the certificate and corresponding private key in the LocalMachine > NetIQ Security Manager certificate store. Members of the Administrators group on the local computer can access the private keys of certificates installed in the LocalMachine store.
In order for Security Manager to function properly, the service account used to run Security Manager must be a member of the local Administrators group on the central computer or otherwise have access to the private key of the self-signed certificate. If the service account cannot access the private key for the default Security Manager certificate, the NetIQ Security Manager service cannot start, and the central computer generates an event 21337 in the Application event log.
To resolve this issue, review the access control list (ACL) of the key container file to ensure the service user has Read and Execute permissions, at minimum. The event 21337 description identifies the key container file name. Check the ACL of the key container file located in the %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys folder to ensure the Security Manager service account has at least Read and Execute permissions. For more information about key containers, see the following article on the Microsoft support site:
http://msdn.microsoft.com/en-us/library/bb204778(VS.85).aspx
By default, when you install a Security Manager central computer, the setup program creates a self-signed certificate and installs the certificate and corresponding private key in the LocalMachine > NetIQ Security Manager certificate store. Members of the Administrators group on the local computer can access the private keys of certificates installed in the LocalMachine store.
In order for Security Manager to function properly, the service account used to run Security Manager must be a member of the local Administrators group on the central computer or otherwise have access to the private key of the self-signed certificate. If the service account cannot access the private key for the default Security Manager certificate, the NetIQ Security Manager service cannot start, and the central computer generates an event 21337 in the Application event log.
To resolve this issue, review the access control list (ACL) of the key container file to ensure the service user has Read and Execute permissions, at minimum. The event 21337 description identifies the key container file name. Check the ACL of the key container file located in the %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys folder to ensure the Security Manager service account has at least Read and Execute permissions. For more information about key containers, see the following article on the Microsoft support site:
http://msdn.microsoft.com/en-us/library/bb204778(VS.85).aspx
Cause
The certificate store in has incorrect permissions, preventing the SM Core Service from accessing or using the certificates.
Additional Information
Formerly known as NETIQKB72360