Unable to Start Microsoft Firewall Service in ISA Server 2006


1. Introduction


 


This scenario is based on a real experience that I was able to reproduce in a lab. The issue was that the Microsoft Firewall Service was not starting and was showing the following error message when tries to manually start:


 


 


Figure 1 – Error trying to manually start Microsoft Firewall service.


 


The error -2146885628 means HRESULT 0x80092004L, which is CRYPT_E_NOT_FOUND. Besides this pop up error message, the following entries were logged in the Application Log:


 



Event Type: Error


Event Source:     Microsoft ISA Server Web Proxy


Event Category:   None


Event ID:   14177


Date:       3/2/2009


Time:       7:44:31 PM


User:       N/A


Computer:   ISASRVSTD


Description:


Some certificates cannot be initialized (error code -2146885628). The Web Proxy filter could not initialize. Check that all certificates used by the Web Proxy filter are valid.


 



Event Type: Error


Event Source:     Microsoft Firewall


Event Category:   None


Event ID:   14060


Date:       3/2/2009


Time:       7:44:31 PM


User:       N/A


Computer:   ISASRVSTD


Description:


ISA Server could not load the application filter Web Proxy Filter ({4CB7513E-220E-4C20-815A-B67BAA295FF4}). FilterInit failed with the error code 0x80092004. To attempt to activate this application filter again, stop and restart the Firewall service.


 



Event Type: Error


Event Source:     Microsoft Firewall


Event Category:   None


Event ID:   14001


Date:       3/2/2009


Time:       7:44:31 PM


User:       N/A


Computer:   ISASRVSTD


Description:


Firewall Service failed to initialize. Previous event log entries might help determine the proper action.


 


From all those three events the main one is the first, this was actually the first that happened and all the others are just result of this.


 


2. Reviewing the Web Listener


 


Certificates are bound to the Web Listener, therefore you need to first review those Listeners to see if there is anything suspicious in there. Look for things such as:


·         Web Listeners that are using port 443 but have no certificate bound to it.


·         Web Listeners that are using certificates that are already expired


o   Use Considerations when Renewing Web Listener Certificates on ISA Server 2006 article to identify which certificates are expired


·         Web Listeners that you cannot even open the properties


o   In this case you can potentially receive a catastrophic error which might indicates that this Web Listeners is corrupted. For this type of scenario further research is necessary which is out of the scope of this post.


 


After reviewing the Web Listener it was possible to see that one of those was using port 443 (Figure 2) but without any certificate bound to it (Figure 3):


 


 


Figure 2 – Web Listener using Port 443.


 



Note: as you can see in Figure 2, in the bottom of the window it shows that you must have the certificate defined in the Certificates tab when you are using SSL.


 


 


 


Figure 3 – Web Listener with empty certificate selection.


 


This clearly is a problem and justifies that Firewall Service is not coming up.


 


3. Reviewing your Certificate Container in the Local Computer


 


Next step is to verify if the certificates are correctly installed in the ISA Server local computer. Review the steps from the article Considerations when Renewing Web Listener Certificates on ISA Server 2006 to do that.


 


4. Resolution


 


To resolve this problem you have two approaches:


·         If you don’t have the certificate right away you can just change the listener to use HTTP (rather than HTTPS), apply the changes and start Microsoft Firewall service.


·         If you do have the certificate, use the steps from article Considerations when Renewing Web Listener Certificates on ISA Server 2006 to import a new certificate, bind this new certificate to the listener and start Microsoft Firewall service.


 


5. Main References


 


Although I mentioned throughout this post an article about Certificates, it is important to emphasize that you should read this whole article to plan ahead and avoid situations like that:


Considerations when Renewing Web Listener Certificates on ISA Server 2006


 


This KB can also help you to understand what the possible causes are for Microsoft Firewall service won’t start:


940463  You cannot start the Microsoft Firewall service on a server that is running ISA 2004 or ISA 2006 if you enable SSL on a Web listener


 


 


Author


Yuri Diogenes


Security Support Engineer


Microsoft CSS Forefront Edge Team


 


Technical Reviewer


Thomas Detzner


Escalation Engineer


Microsoft CSS Forefront Edge Team


 


 

Comments (4)

  1. Anonymous says:

    Way to go…thanks for your feedback Paulo.

  2. Anonymous says:

    Great tip!

    This happened to me before and I followed the KB to solve my problem.

    Regards,

    Paulo Oliveira.

  3. ICTINUS says:

    Thanks m8 great solution. The only thing that was different in our case:

    someone accidently deleted some certificates that were still in use on some listeners.

    We readded the certificates!

    thanks

  4. Anonymous says:

    You may face an issue with a certificate assigned to a listener that suddenly becomes invalid and therefore