While running the script tool '.\Platform.Configuration.Tool.ps1 -readiness', always get an error: AppPool user Identity does not have access to the private key certificate.
Issue/Error: While running the script tool '.\Platform.Configuration.Tool.ps1 -readiness', always get an error:
- AppPool user Identity does not have access to the private key certificate.
Troubleshooting:
- The certificate exists in Personal folder of certificate manager (certlm.msc)
- The IIS_IUSRS has already been granted with the permission of the certificate
- IIS application pools (Orchestrator/Identity) are both using default ApplicationPoolIdentity
- run command : certutil -v -verifystore My , all is good including the users and the permissions as below:
Allow Full Control NT AUTHORITY\SYSTEM
Allow Full Control BUILTIN\Administrators
Allow Full Control BUILTIN\IIS_IUSRS
Allow Read NT AUTHORITY\LogonSessionId_0_1126700
Resolution:
According to the error message (AppPool user Identity does not have access to the private key certificate.), it means the scripts needs to check permission for an additional application pool user (IIS APPPOOL\Identity). Hence you will also need to give permissions for the Identity App Pool user.
Resolution by adding this user(Identity) with below steps:
- Open the certificate store and open the Personal folder
- Right-click on the Certificate you are using for the Orchestrator and select "All Tasks" and then "Manage Private Keys".
- In the "Permissions" dialog, click "Add".
- In the "Select Users, Computers, Service Accounts, or Groups" window, type the name of the first group "IIS APPPOOL\Identity" and then click "Check Names" to verify the name.
- Click "OK" to add the group to the list of permissions.