Windows Server 2012 R2 – Add cluster node / Cluster Service “Keyset does not exist”

I recently came across an error where the Cluster Service stopped on a Windows Server 2012 R2 failover cluster and would not start.  Event Logs generated were:

Event ID: 7024
The Cluster Service service terminated with the following service-specific error:
Keyset does not exist

Event ID: 7031
The Cluster Service service terminated unexpectedly. It has done this 282 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

After numerous failed attempts to get the Cluster Service to start I evicted the node from the cluster and ran Clear-Clusternode.  When joining the node back into the cluster I got the error “Keyset does not exist” once again.

The fix was to correct the permissions on the C:\ProgramData\Microsoft\Crypto\RSA folder.

Every item (System File) under the MachineKeys folder should be configured as follows:
Inheritence – Off
Owner : Administrators
SYSTEM – Full Control
Administrators – Full Control

Once the permissions have been set correctly on the MachineKeys items, the MachineKeys folder should be set as follows:
Inheritence – Off
Owner: Administrators
Administrators – Full Control (This folder only)
Everyone – Read + Write (This folder only)

After the above permissions were set I was able to join the node back to the cluster and the cluster service started.  I still haven’t found a root cause as to why the permissions changed.  I was able to identify the correct permissions by looking at a working cluster node.

 

 

6 Replies to “Windows Server 2012 R2 – Add cluster node / Cluster Service “Keyset does not exist””

  1. Thank you… Was having same issue failing over one of the SQL cluster name causing error” Kerberos Authentication support enabled. Failed to add required credentials to the LSA – the associated error code is ‘-2146893802′”, Above really works. Thank you so much.

  2. thank you, never had this weird behavior and this seems the only place where the actual problem and solution is been posted, saved me hours of troubleshooting with support

  3. I spent lot of hours in trying to fix this through different set of checks and procedures and tried to google too but nowhere I did get appropriate solution.

    This worked perfectly! Thank you so much Chris, you saved my days!!!

Leave a Reply to Quinten Marais Cancel reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.