IIS 7 Error “A specified logon session does not exist. It may already have been terminated.” when using https

Question

I am trying to create Client Certificates Authentication for my asp.net Website.

In order to create client certificates, I need to create a Certificate Authority first:<

Answer 1

I was getting a this error when trying to bind localhost pfx cert for my development machine. Before i tried any of this above, tried something simpler first.

1. Closed any localhost dev site i had openned.
2. Stopped my IIS server and closed the manager
3. run the manager as Admin
4. Added all my https bindings, no errors or issues this time.
5. restarted iis

Everything seems to work after that.

Answer 2

This must be some kind of IIS bug, but I found the solution.

1- Export MyPersonalCA.pfx from IIS.

2- Convert it to .pem:

openssl pkcs12 -in MyPersonalCA.pfx -out MyPersonalCA.pem -nodes

3- Convert it back to .pfx:

openssl pkcs12 -export -in MyPersonalCA.pem -inkey MyPersonalCA.pem -out MyPersonalCA.pfx

4- Import it back to IIS.

Answer 3

I got this error due to wrong openssl command-line during export PKCS #12 certificate. -certfile key was wrong. I exported certificate again and it was imported successfully.

Answer 4

I just had this issue today and feel compelled to post my solution in the hope that you will lose less hair than I've just done.

After trying the solutions above, we had to re-issue the SSL certificate from the SSL provider (RapidSSL issuing as a reseller for GeoTrust).

There was no cost with this process, just the five minute wait while the confirmation emails (admin@) arrived, and we gained access again.

Once we had the response, we used IIS > Server Certificates to install it. We did not need the MMC snap-in.

https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO5757

We kept a remote desktop window to the server open throughout, to avoid any issues with differing login accounts/sessions, etc. I do believe it is an IIS bug as another expert believes, as we only have one RDC account. What is most infuriating is that the very same certificate has been working perfectly for two months before suddenly "breaking".

Answer 5

We found another cause for this. If you are scripting the certificate install using PowerShell and used the Import-PfxCertificate command. This will import the certificate. However, the certificate imported cannot be bound to a website in IIS with the same error as this question mentions. You can list certificates using this command and see why:

certutil -store My

This lists the certificates in your Personal store and you will see this property:

Provider = Microsoft Software Key Storage Provider

This storage provider is a newer CNG provider and is not supported by IIS or .NET. You cannot access the key. Therefore you should use certutil.exe to install certificates in your scripts. Importing using the Certificate Manager MMC snap-in or IIS also works but for scripting, use certutil as follows:

certutil -f -p password -importpfx My .\cert.pfx NoExport

See this article for more information: https://windowsserver.uservoice.com/forums/295065-security-and-assurance/suggestions/18436141-import-pfxcertificate-needs-to-support-legacy-priv

Answer 6

In our case this problem occurred because we have installed the certificate in a Virtual Machine and made an image of it for further use.

When creating another VM from the image previously created the certificate sends the message.

To avoid this be sure to install the certificate on every new VM installed.