Unable to Start Microsoft Firewall Service in ISA Server 2006

1. Introduction

 

This scenario is based on a real experience that I was able to reproduce in a lab. The issue was that the Microsoft Firewall Service was not starting and was showing the following error message when tries to manually start:

 

 

Figure 1 – Error trying to manually start Microsoft Firewall service.

 

The error -2146885628 means HRESULT 0x80092004L, which is CRYPT_E_NOT_FOUND. Besides this pop up error message, the following entries were logged in the Application Log:

 

Event Type: Error

Event Source: Microsoft ISA Server Web Proxy

Event Category: None

Event ID: 14177

Date: 3/2/2009

Time: 7:44:31 PM

User: N/A

Computer: ISASRVSTD

Description:

Some certificates cannot be initialized (error code -2146885628). The Web Proxy filter could not initialize. Check that all certificates used by the Web Proxy filter are valid.

Event Type: Error

Event Source: Microsoft Firewall

Event Category: None

Event ID: 14060

Date: 3/2/2009

Time: 7:44:31 PM

User: N/A

Computer: ISASRVSTD

Description:

ISA Server could not load the application filter Web Proxy Filter ({4CB7513E-220E-4C20-815A-B67BAA295FF4}). FilterInit failed with the error code 0x80092004. To attempt to activate this application filter again, stop and restart the Firewall service.

Event Type: Error

Event Source: Microsoft Firewall

Event Category: None

Event ID: 14001

Date: 3/2/2009

Time: 7:44:31 PM

User: N/A

Computer: ISASRVSTD

Description:

Firewall Service failed to initialize. Previous event log entries might help determine the proper action.

 

From all those three events the main one is the first, this was actually the first that happened and all the others are just result of this.

 

2. Reviewing the Web Listener

 

Certificates are bound to the Web Listener, therefore you need to first review those Listeners to see if there is anything suspicious in there. Look for things such as:

· Web Listeners that are using port 443 but have no certificate bound to it.

· Web Listeners that are using certificates that are already expired

o Use Considerations when Renewing Web Listener Certificates on ISA Server 2006 article to identify which certificates are expired

· Web Listeners that you cannot even open the properties

o In this case you can potentially receive a catastrophic error which might indicates that this Web Listeners is corrupted. For this type of scenario further research is necessary which is out of the scope of this post.

 

After reviewing the Web Listener it was possible to see that one of those was using port 443 (Figure 2) but without any certificate bound to it (Figure 3):

 

 

Figure 2 – Web Listener using Port 443.

 

Note: as you can see in Figure 2, in the bottom of the window it shows that you must have the certificate defined in the Certificates tab when you are using SSL.

 

 

 

Figure 3 – Web Listener with empty certificate selection.

 

This clearly is a problem and justifies that Firewall Service is not coming up.

 

3. Reviewing your Certificate Container in the Local Computer

 

Next step is to verify if the certificates are correctly installed in the ISA Server local computer. Review the steps from the article Considerations when Renewing Web Listener Certificates on ISA Server 2006 to do that.

 

4. Resolution

 

To resolve this problem you have two approaches:

· If you don’t have the certificate right away you can just change the listener to use HTTP (rather than HTTPS), apply the changes and start Microsoft Firewall service.

· If you do have the certificate, use the steps from article Considerations when Renewing Web Listener Certificates on ISA Server 2006 to import a new certificate, bind this new certificate to the listener and start Microsoft Firewall service.

 

5. Main References

 

Although I mentioned throughout this post an article about Certificates, it is important to emphasize that you should read this whole article to plan ahead and avoid situations like that:

Considerations when Renewing Web Listener Certificates on ISA Server 2006

 

This KB can also help you to understand what the possible causes are for Microsoft Firewall service won’t start:

940463 You cannot start the Microsoft Firewall service on a server that is running ISA 2004 or ISA 2006 if you enable SSL on a Web listener

 

 

Author

Yuri Diogenes

Security Support Engineer

Microsoft CSS Forefront Edge Team

Technical Reviewer

Thomas Detzner

Escalation Engineer

Microsoft CSS Forefront Edge Team