By Edy, Tech Expert & Blogger
Imagine the anticipation of upgrading your Exchange 2019 on-premises server with a new CU, each step carefully executed, only to hit a roadblock at Step 12: Mailbox role – Client Access Front End service. As the setup grinds to a halt, an unsettling error message appears, signaling a common yet frustrating challenge: Exchange setup fails.
It’s time to decide whether to roll back to a previous state or investigate further to troubleshoot it. I hope this article helps you get back on track quickly. Luckily, the Exchange setup has a routine to continue a failed installation.
I encountered the following error message.
Error:
The following error was generated when "$error.Clear();
Install-ExchangeCertificate -services "IIS, POP, IMAP" -DomainController $RoleDomainController
if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
{
Install-AuthCertificate -DomainController $RoleDomainController
}
" was run: "Microsoft.Exchange.Management.SystemConfigurationTasks.AddAccessRuleUnauthorizedAccessException: Insufficient rights to grant Network Service access to the certificate with thumbprint 2CE1FD66F37E4AB76DEBAC75D92977B6BD2DE3C9. ---> System.UnauthorizedAccessException: Certificate ---> System.Security.Cryptography.CryptographicException: Keyset does not exist
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at Microsoft.Exchange.Security.Cryptography.X509Certificates.TlsCertificateInfo.CAPIAddAccessRule(X509Certificate2 certificate, AccessRule rule)
--- End of inner exception stack trace ---
at Microsoft.Exchange.Security.Cryptography.X509Certificates.TlsCertificateInfo.CAPIAddAccessRule(X509Certificate2 certificate, AccessRule rule)
at Microsoft.Exchange.Security.Cryptography.X509Certificates.TlsCertificateInfo.AddAccessRule(X509Certificate2 certificate, AccessRule rule)
at Microsoft.Exchange.Management.SystemConfigurationTasks.ManageExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services, String websiteName, Boolean requireSsl, ITopologyConfigurationSession dataSession, Server server, List`1 warningList, Boolean allowConfirmation, Boolean forceNetworkService)
--- End of inner exception stack trace ---
at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services)
at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
The main reason why the Exchange setup fails is this message.
Insufficient rights to grant Network Service access to the certificate with thumbprint 2CE1FD66F37E4AB76DEBAC75D92977B6BD2DE3C9. ---> System.UnauthorizedAccessException: Certificate ---> System.Security.Cryptography.CryptographicException: Keyset does not existThere are two reasons for it:
- The built-in account ‘Network Service’ has not Full Control rights
- The private key is not exportable.
I use the Letsencrypt certificate with the Win Acme client.
Exchange setup fails: Reason 1:
The built-in Network Service account doesn’t have ‘Full Control’ rights to private keys.
How can I check that?
Use Windows Search and type in ‘cert,’ choose ‘manage computer certificates’
Choose the certificate in the Personal store, right- click, ‘All Tasks’, Manage Private Keys and check the permissions.
The ‘Network Service’ should have ‘Full Controll’ rights.
Exchange Setup fails: Reason 2
If you right-click the certificate, ‘All Tasks,’ ‘Manage Private Keys,’ and get a message, ‘Private key not exportable,’ the acme client marked the certificate. To resolve that, you need to change how the Acme client requests the certificate.
You need to amend the ‘settings.json’ file in your Acme directory.
Now you need to renew the certificate with the acme-client.
wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/" --forceYou can force a renewal of the certificate with the above command.
Now, you can successfully install the Exchange Server 2019 CU. Start the Exchange Server 2019 setup.exe again without first rebooting the server. Exchange will show an ‘Incomplete Installation Detected’ message and continue the installation. It should finish without any further errors.
For these unforeseen situations, I highly recommend backing up the server before installing any update for the Exchange Server – in most cases, it is a VM – and making a snapshot.
I had the same situation when I installed CU12 of Exchange Server 2019. Since I didn’t know how to resolve it, I decided to revert the snapshot and have time to investigate the issue
I would love to get some feedback from you. Was this article helpful? Please share your opinion with me in the comment section below. Or, if you prefer a more personal touch, feel free to email me directly at info@edywerder.ch. Your thoughts and insights are always appreciated. Additionally, you can connect with me on Reddit at Navigatetech.
Before you go …
I hope the guide on resolving the certificate error during your Exchange setup was helpful. As you consider refining your setup further, you might find it helpful to explore the optimal server choices for a home lab environment. I recommend checking out Best Server for Home Lab, where you can find detailed insights on selecting hardware that meets your specific needs, balancing performance, cost, and energy efficiency. This could be particularly beneficial as you expand or streamline your technical setup.
Full Disclosure
Any purchases made from clicks on links to products on this page may result in an affiliate commission for me.
Please keep in mind that the quantity or price of items can change at any time.
As an Amazon Associate, I earn from qualifying purchases.
Als Amazon-Partner verdiene ich an qualifizierten Verkäufen
Tech Expert & Blogger
Hi, I’m Edy. With over 30 years of experience in the IT industry, I’ve tackled numerous tech challenges.
As a solopreneur, I write articles to fill the gaps I notice in my work and online.
My mission? To provide clear, step-by-step tech guidance and improve the information you find on the web
Enjoying the content?
