MachineKeys permission settings preventing RDP certificate renewal

We have a working IDP setup. As noted in the certificate documentation, to avoid the “Keyset does not exist” error, we’ve give the IIS_IUSRS account read/write access to the MachineKeys folder. For two years this setup worked fine. However, when we moved our site into a hosted (AZURE) environment we ran into a problem. We connect to our servers via RDP. Every six months the RDP service needs to renew a self-signed certificate, and apparently adding the permissions for the IIS_IUSRS prevents it from doing that. When the certificate renewal fails, it locks us out of RDP.

The hosting admins insist that the IIS_IUSRS account cannot have read/write access to the MachineKeys folder. The ComponentSpace certificate documentation specifies that it must. I need to find a solution to this issue. Please advise.

It’s a curious state of affairs when giving IIS_USRS permissions would somehow cause issues for RDP. This shouldn’t have any impact on any of the other file permissions for this folder.

Did the hosting admins have any insight into why this is a problem? I’m not saying they’re wrong but I would like to understand what’s happening.

Is the IIS_USRS permissions definitely the reason for the RDP certificate renewal failure? If the permissions are removed, does RDP certificate renewal start working again?

What version of ASP.NET does your application target?

What version of the SAML library are you using?

In later releases we use the EphemeralKeySet flag when opening the PFX file but this requires ASP.NET v4.8 or later.

The EphemeralKeySet flag causes the private key associated with the PFX file to be created in memory and not persisted to the file system thereby avoiding any permission issues.