'Value does not fall within the expected range' when trying to set identity password for the MailEnable Application Pools under IIS


SYMPTOMS

When trying to set the MailEnable Application Pool identity or any of the MailEnable websites identity password produces the following error within the IIS manager:

'Value does not fall within the expected range'

CAUSE

MailEnable Application Pools run under specific user identities where the password for the identitites are stored in an encrypted format within the IIS "Applicationhost.config" file. By default, IIS uses IISWASOnlyAesProvider to encrypt the application user passwords. The 'Value does not fall within expected range error' can occur if the key store becomes corrupt. One common cause of corruption is if you restored the config files for IIS on the new server.

RESOLUTION

The solution would be to import the AES encryption keys from one Windows server to another. This can be achieved by using the Microsoft "Aspnet_Regiis.exe" tool located within: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\.

The following command exports the keys to the temp directory in a file named "AESKeys.xml"

aspnet_regiis -px "iisWasKey" "C:\temp\AESKeys.xml"

The key container it uses in the ApplicationHost.Config is:

add name="IISWASOnlyAesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey=

To import it, move the file to the machine in question and run the same command with the -pi switch instead:

aspnet_regiis -pi "iisWasKey" "C:\temp\test.xml"

The above steps will restore the "iisWasKey" encryption but you may also need to do this for the "iisConfigurationKey" key.

aspnet_regiis -px "iisConfigurationKey" "C:\temp\AESKeys.xml"

The key container it uses in the ApplicationHost.Config is:

add name="AesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisConfigurationKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey=

To import it, move the file to the machine in question and run the same command with the -pi switch instead:

aspnet_regiis -pi "iisConfigurationKey" "C:\temp\test.xml"

Once the keys have been restored then final step is to reset the MailEnable service account passwords for the MailEnable Application pools.

  • Navigate within the MailEnable installation path to the "BIN" folder.
  • Locate the "meinstaller.exe" tool. Right click on "meinstaller.exe" and "Run As Administrator".
  • In the list of options select option 2 - Web application reconfigure and then click on the "Execute" button.
  • When prompted specify a complex password for the MailEnable service accounts.
  • Once complete try to restart the MailEnable Application Pools under IIS.

WORKAROUND

If access to another Windows server is not possible to export the AES keys then the last resort would be to uninstall the "Web server" role and reinstall IIS.



Product:MailEnable (All Versions)
Article:ME020709
Module:Other
Keywords:Value,does,not,fall,within,the,expected,range,application,pool,IIS,iis,web,mail
Class:TRB: Troubleshooting (Configuration or Environment)
Revised:Thursday, February 27, 2020
Author:
Publisher:MailEnable