Troubleshooting SSH issues
Windows CNG key container or key store is inaccessible
Symptom: When trying to connect to a Linux VM, you're seeing one of the following error messages:
- Creating or opening the SSH key failed because the Windows CNG key container or key store is inaccessible
- Failed to create or access cryptographic key
IAP Desktop uses a public/private key pair for SSH authentication and uses the Windows CNG key store to securely store the key in your Windows profile.
The error messages above indicate that IAP Desktop was unable to create or access the SSH key in the CNG key store. There are multiple reasons why this can happen:
-
The file system permissions of your key store are corrupt. This is typically the case when the error details include the text Object already exists.
To resolve this issue, try switching key types, deleting the key, or using an ephemeral key.
-
You've logged in using a temporary or mandatory Windows profile . This is typically the case when the error details include the text The profile for the user is a temporary profile.
When you use a temporary or mandatory Windows profile, the Windows CNG key store is read-only.
To resolve this issue, log in using a regular Windows profile or use an ephemeral key.
Switch key types
IAP Desktop automatically creates a public/private key pair for SSH authentication on first use. The type of key it creates depends on what you configured under Tools > Options > SSH.
You can force IAP Desktop to create a new key by going to Tools > Options > SSH and switching the key type to a value you haven't used before, for example from ECDSA NISTP-384 to ECDSA NISTP-521.
Delete the key
You can manually delete the CNG keys used by IAP Desktop by doing the following:
- Open a command prompt. The command prompt doesn't need to be elevated.
-
Use
certutil
to list your keys:certutil -csp "Microsoft Software Key Storage Provider" -key -user | findstr IAPDESKTOP_
-
Find all entries prefixed
IAPDESKTOP_
. For example:IAPDESKTOP_bob@example.com_00000012_094FE673 cbb967c9dd228c77fcc7cccccc2ee292c_f430a14c-aaaa-bbbb-cccc-dddddddddddd ECDSA_P384 ECDSA
The second line of each entry contains the key container name:
cbb967c9dd228c77fcc7cccccc2ee292c_f430a14c-aaaa-bbbb-cccc-dddddddddddd
-
Open the folder
%APPDATA%\Microsoft\Crypto\Keys
and find the file named after the key container name. This file contains the encrypted key. -
Rename (or delete) the file.
The next time you connect to a Linux VM, IAP Desktop will automatically create a new key.
Use an ephemeral key
Note
This feature requires IAP Desktop 2.39
Instead of using a persistent key for SSH authentication, you can let IAP Desktop use an ephemeral key. Ephemeral keys are only kept in memory and deleted once you close the application.
To use ephemeral keys, do the following:
- Go to Tools > Options > SSH.
- Disable the option Use persistent key.
- Click OK.
When you use an ephemeral key and IAP Desktop publishes the public key to OS Login or metadata, it automatically limits the lifetime of the key to one day.