Categories: AWSEC2IISSSLWindows

EC2 AMI Sysprep IIS 7.5 SSL Certificate Error 0x80070520

Today I ran into IIS 7.5 SSL certificate binding error 0x80070520 after running sysprep to create a new bundled EC2 AMI. First I launched a Windows 2008 R2 instance from an official Amazon AMI, installed IIS and imported our wildcard SSL certificate to be used on future websites. Launched the ec2Config service and ran sysprep. Created a new AMI (image) of this instance, then launched a new instance based off this AMI. In IIS Manager, tried to edit the https binding of a site and got the error:

A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)

 

This actually has nothing to do with Amazon and is caused by sysprep changing the machine SID which I believe affects the private key of the certificate rendering it invalid. You’ll need to remove the certificate and re-import.

  1. Make sure you have a backup certificate .pfx file or export it including the private key.
  2. Remove the certificate either through the Certificates MMC or in IIS Manager navigate to Server Certificates under the server-level object in the navigation pane, right click and remove.
  3. In the same area, right click and choose Import, browse for your backup pfx and enter the certificate password created during the CSR generation.
  4. Edit the https binding of your site, choose the SSL certificate from the dropdown.

Here is a little bit of information about the duplicate SID myth from Mark Russinovich (the guy who wrote all the Sysinternals software) –

“The more I thought about it, the more I became convinced that machine SID duplication – having multiple computers with the same machine SID – doesn’t pose any problem, security or otherwise. I took my conclusion to the Windows security and deployment teams and no one could come up with a scenario where two systems with the same machine SID, whether in a Workgroup or a Domain, would cause an issue. At that point the decision to retire NewSID became obvious.”

A workaround to this issue is to not import the certificate prior to sysprepping, and instead use this powershell script upon first boot to import the certificate.

restore-certificates.ps1
write-applicationeventlog.ps1

Sources:
Thread: Need to reinstall SSL cetificate in IIS after instance reboot
IIS 7.0: A Specified Logon Session Does Not Exist

Share
Disqus Comments Loading...

Recent Posts

FreeNAS Error Creating Pool

command '('gpart', 'create', '-s', 'gpt', '/dev/da8')' returned non-zero exit status 1. If you get this error while trying to create… Read More

June 7, 2019 3:44 pm 15:44

Change Grub Default Boot Entry on Linux Mint

I'm dual booting Windows and Linux Mint on my laptop. The grub default is to boot into Linux Mint, however… Read More

April 23, 2019 7:45 pm 19:45

How to Reset Secure Channel On Active Directory Domain Controller

When you're a little too careless about virtualizing your domain controllers, cloning, migrating, backing up and restoring, returning from vacation… Read More

April 21, 2019 8:14 am 08:14

Run Systemd Script Before System Shutdown

I tried to retain the NGINX FastCGI cache and have it persist across system reboots instead of being ephemeral by… Read More

April 20, 2019 10:14 am 10:14

Learn Systemctl Usage to Manage Systemd Service in Linux

Systemd is new service manager for Linux. It's a replacement for all previous init systems (SysV/SysVinit & Ubuntu's Upstart) and… Read More

April 20, 2019 7:55 am 07:55

Force Delete Windows Server DHCP Failover Relationship

If you've found yourself here then chances are you messed up one of your domain controllers or at least one… Read More

April 20, 2019 5:54 am 05:54