Home » IIS » Failed to commit configuration changes. Keyset does not exist (80090016)

Failed to commit configuration changes. Keyset does not exist (80090016)

While trying to set application pool identity in IIS Manager, I came across “Keyset does not exist” error. When I looked at the Event Viewer, I saw this message:

ERROR ( hresult:80090016, message:Failed to commit configuration changes. Keyset does not exist)

Solution for “Keyset does not exist” error (hresult:80090016)

This issue occurs when there is a problem with the machine keys. These keys are located at C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

There are three machine keys IIS uses for encryption. The first thing to check is if these files exist. If they don’t, you will need to reinstall IIS for the files to be recreated.

Machine key files used by IIS

If the files exist in MachineKeys folder, check their security permissions. In my case, these files didn’t have owners.

hresult:80090016 Failed to commit configuration changes. Keyset does not exist

After taking the ownership, I saw that only IIS_IUSRS account was in the permission list. I added DatabaseAdministrators group to the Security list. This brought back other required permissions as well. We were able to change application pool identity password afterwards.

Note: If you see 0x8009000D error along with “Keyset does not exist” message, please check this post. It recommends recreating the IIS machine keys in the MachineKeys folder and related entries in the applicationHost.config file by following the steps below:

1) Rename the below files or move it to a different location from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\

6de9cb26d2b98c01ec4e9e8b34824aa2_GUID      iisConfigurationKey
d6d986f09a1ee04e24c949879fdb506c_GUID   NetFrameworkConfigurationKey

76944fb33636aeddb9590521c2e8815a_GUID        iisWasKey

2) Backup applicationhost.config, then delete everything inside the tags below in applicationhost.config. Delete the contents within 

<configProtectedData> or <providers>.

3) Open a command prompt in admin mode and run the below command

"%windir%\system32\inetsrv\iissetup.exe /install SharedLibraries"

Note: If running the “iissetup.exe /install SharedLibraries” command returns 0x8007005 error, it means your user account doesn’t have the required permissions. This may happen even though the account’s AD group is in the local Administrators group and you open Command Prompt as Administrators. It’s likely that this account is lacking specific permission to complete this operation. Please try with another Administrator account.


If there is a huge amount of files (thousands of them) in the MachineKeys folder, there might be another issue. More details: Remove older files in MachineKeys folder

Ned Sahin

Blogger for 20 years. Former Microsoft Engineer. Author of six books. I love creating helpful content and sharing with the world. Reach me out for any questions or feedback.
Categories IIS

1 thought on “Failed to commit configuration changes. Keyset does not exist (80090016)”

Leave a Comment