Windows Server 2012 R2 – Add cluster node / Cluster Service “Keyset does not exist”

I recently came across an error where the Cluster Service stopped on a Windows Server 2012 R2 failover cluster and would not start.  Event Logs generated were:

Event ID: 7024
The Cluster Service service terminated with the following service-specific error:
Keyset does not exist

Event ID: 7031
The Cluster Service service terminated unexpectedly. It has done this 282 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

After numerous failed attempts to get the Cluster Service to start I evicted the node from the cluster and ran Clear-Clusternode.  When joining the node back into the cluster I got the error “Keyset does not exist” once again.

The fix was to correct the permissions on the C:\ProgramData\Microsoft\Crypto\RSA folder.

Every item (System File) under the MachineKeys folder should be configured as follows:
Inheritence – Off
Owner : Administrators
SYSTEM – Full Control
Administrators – Full Control

Once the permissions have been set correctly on the MachineKeys items, the MachineKeys folder should be set as follows:
Inheritence – Off
Owner: Administrators
Administrators – Full Control (This folder only)
Everyone – Read + Write (This folder only)

After the above permissions were set I was able to join the node back to the cluster and the cluster service started.  I still haven’t found a root cause as to why the permissions changed.  I was able to identify the correct permissions by looking at a working cluster node.



Author: Chris Hayward

Share This Post On


  1. Thanks! This fix worked for me on a Win2k12R2 cluster hosting a SQL2014 clustered instance.

    Post a Reply
  2. Thank you… Was having same issue failing over one of the SQL cluster name causing error” Kerberos Authentication support enabled. Failed to add required credentials to the LSA – the associated error code is ‘-2146893802′”, Above really works. Thank you so much.

    Post a Reply
  3. There is a single file in that folder that has an extra set of permissions .. to do with networking.. do not change it’s permissions else you loose RDP ability ..

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.