Troubleshooting certificate-based replication: no permissions to the private key

The certificate-based authentication for replication requires the local VDFS service NT SERVICE\vdfssvc to have Read access to the private key of the replication certificate installed on the server.

VisualSVN Server Manager console automatically grants the required permission when you select the certificate. However, in some cases it may be impossible to grant the necessary permission automatically and manual configuration is required. You may need to contact the system administrator for assistance if you do not have the privileges to manage the private keys. This article focuses on typical errors when accessing the replication certificate's private key and the steps to resolve them.

Tip
To learn more about the certificate-based authentication, read the article KB119: Understanding certificate-based authentication for replication. A detailed summary about replication certificates is available in the article KB121: Understanding Replication Certificates.

Error 1: Cannot acquire the private key for the certificate

This error occurs when VisualSVN Server Manager console is unable to access the private key of the replication certificate.

Cannot acquire the private key for the certificate

Please make sure that the private key associated with the selected certificate exists in server's local machine store and you have permissions to access it.

Cannot acquire private key for the certificate: Keyset does not exist (0x80090016)

The error can occur when your user account does not have permissions to access the private key or the private key is missing.

Resolution

The Replication Certificate Selection dialog box lists only appropriate certificates that include a private key. Therefore, the most likely root cause is that your user account does not have privileges to access the private key.

Please, contact your system administrator and request either to grant you the permissions to access the private key or to grant the NT SERVICE\vdfssvc service the necessary permissions manually. The instruction that should help grant the necessary permissions to NT SERVICE\vdfssvc is given below in the section How to grant permissions to the private key.

Error 2: Cannot automatically adjust permissions for the certificate's private key

This error occurs when VisualSVN Server Manager console fails to automatically grant Read permissions to NT SERVICE\vdfssvc account on the replication certificate's private key.

Cannot automatically adjust permissions for the certificate's private key

Please make sure that you have full access to the private key associated with the selected certificate or ask your system administrator to grant VisualSVN Distributed File System Service (NT SERVICE\vdfssvc) read access to this private key.

Cannot set security descriptor for the key: Access denied. (0x80090010)

Resolution

This error indicates that your user account is missing privileges to change the private key permissions.

Please, contact your system administrator and request either to grant you the permissions to access the private key or to grant the NT SERVICE\vdfssvc service the necessary permissions manually. The instruction that should help grant the necessary permissions to NT SERVICE\vdfssvc is given below in the section How to grant permissions to the private key.

Error 3: VDFS service cannot access private key for the configured replication certificate

VisualSVN Distributed File System (VDFS) service fails to start and the following error event is logged to the VisualSVN Server Replication event log.

VisualSVN Distributed File System Service failed to start due to the following error:
Cannot access private key for the configured replication certificate: The credentials supplied to the package were not recognized

You may see the following error message when performing tasks in the VisualSVN Server Manager console.

Cannot initialize certificate-based authentication

Please make sure the VisualSVN Distributed File System Service (NT SERVICE\vdfssvc) has read access to the private key associated with the replication certificate for this server.

Cannot configure RPC binding authentication: The security context is invalid.

Resolution

You should provide NT SERVICE\vdfssvc account with Read permissions to the private key of the replication certificate. You may need to contact the system administrator for assistance if your user account does not have privileges to control the private key permissions.

The instruction that should help you grant the necessary permissions is given below in the section How to grant permissions to the private key.

How to grant permissions to the private key

Follow these steps to manually grant the NT SERVICE\vdfssvc account Read permission to the private key:

  1. Open the Certificates snap-in to manage the Local Machine certificate store (Computer account):
    • Windows Server 2012 and newer: start certlm.msc.
    • Windows Server 2008 R2: start mmc.exe and add the Certificates snap-in to manage certificates for the Computer account. See the article TechNet | Add the Certificates Snap-in to an MMC for detailed instructions.
  2. Navigate to the Personal certificate store and locate the required replication certificate.
  3. Select the certificate and run the command Actions | All Tasks | Manage Private Keys.
  4. Provide the service account NT SERVICE\vdfssvc with Read permission to the private key.
  5. Click Apply.

See also

KB119: Understanding certificate-based authentication for replication
KB120: Getting started with VDFS replication in a non-domain environment
KB121: Understanding Replication Certificates

Last Modified: