Microsoft KB Archive/278381

= Default permissions for the MachineKeys folders =

Article ID: 278381

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows NT 4.0 Service Pack 4
 * Microsoft Windows NT 4.0 Service Pack 5
 * Microsoft Windows NT 4.0 Service Pack 6
 * Microsoft Windows NT 4.0 Service Pack 6a
 * Microsoft Windows NT Server 4.0, Terminal Server Edition Service Pack 4
 * Microsoft Windows NT Server 4.0, Terminal Server Edition Service Pack 5
 * Microsoft Windows NT Server 4.0, Terminal Server Edition Service Pack 6

-



This article was previously published under Q278381



SUMMARY
The MachineKeys folder stores certificate pair keys for both the computer and users. Both Certificate services and Internet Explorer use this folder. The default permissions on the folder may be misleading when you attempt to determine the minimum permissions that are necessary for proper installation and the accessing of certificates.



MORE INFORMATION
The MachineKeys folder is located under the All Users Profile\Application Data\Microsoft\Crypto\RSA folder. If the administrator did not set the folder to the minimum level, a user may receive the &quot;Failed to Generate Certificate Request&quot; and &quot;Internal Server Error: The Private Key that you are importing might require a cryptographic service provider that is not installed on your system&quot; error messages when the user generates a server certificate by using Microsoft Internet Information Server (IIS). The following settings are the default permissions for the MachineKeys folder: Administrator (Full Control)     This folder only Everyone   (Special)       This folder, subfolders, and files SYSTEM     (Full Control)      This folder, subfolders, and files To view the special permissions for the Everyone group, right-click the MachineKeys folder, click Advanced on the Security tab, and then click View/Edit. The permissions consist of the following permissions:
 * List Folder/Read Data
 * Read Attributes
 * Read Extended Attributes
 * Create Files/Write Data
 * Create Folders/Append Data
 * Write Attributes
 * Write Extended Attributes
 * Read Permissions

Select the Reset Permissions on all Child objects and enable propagation of inheritable permissions check box. The administrator does not have full control on child objects to protect a user's private part of the key pair. However, the administrator can still delete certificates for a user.

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

271071 How to set required NTFS permissions and user rights for an IIS 5.0 Web server

812614 Default permissions and user rights for IIS 6.0

Additional query words: CA cert FEK encryption IIS keyset not found

Keywords: kbinfo kbenv KB278381

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.