Knowledge Base

How to troubleshoot IIS HTTPS Binding Error – “A specified logon session does not exist”?
Overview:

This guide explains how to diagnose and resolve the IIS HTTPS binding error:
“A specified logon session does not exist. It may already have been terminated. (HRESULT: 0x80070520)”,
which typically appears when adding or editing HTTPS bindings in Internet Information Services (IIS).

Audience:

System Administrators, IT Support Engineers, DevOps Engineers

Scope

Apply to IIS servers where SSL certificates are used for HTTPS bindings. Relevant to certificate store configuration, private key permissions, and IIS SSL binding issues.

 

Issue: 

When adding or editing an HTTPS binding in IIS, you receive the following error: 

Error: 
There was an error while performing this operation. 
Details: 
A specified logon session does not exist. It may already have been terminated. 
(Exception from HRESULT: 0x80070520) 

Indicators of the problem:

• HTTPS binding fails in IIS. 

• “Manage Private Keys” option missing in MMC (if private key is not present). 

• Certificate appears valid (including private key) but binding still fails. 

 

Causes:

• Certificate imported incorrectly (missing private key or wrong context). 

• Corrupted private key association in the Windows certificate store. 

• Binding to a specific IP address instead of “All Unassigned”. 

Solution:
Follow the steps below to resolve the issue:

1. Verify Private Key: In MMC, confirm the certificate says “You have a private key that corresponds to this certificate.” 

2. Check Permissions: Confirm that the certificate’s private key has the correct permissions: 

• Navigate to Certificate > All Tasks > Manage Private Keys. 

• Verify that Read access is granted to the required accounts (e.g., IIS_IUSRS, NETWORK SERVICE). 

• Compare these permissions with other working certificates for consistency. 

 

3. Repair Certificate Association: Export the certificate as PFX (include private key) and re-import into Local Computer → Personal store. 

4. Rebind in IIS: Update existing HTTPS binding, restart IIS (iisreset), and add HTTPS binding again using the repaired certificate. 

Root Cause Explanation 

The error occurs because the logon session for the private key cannot be established. Re-importing the certificate as PFX under the Local Computer store ensures proper mapping between the certificate and its private key container. 

Prevention: 

• Always export/import certificates as PFX with private key. 

• Store certificates in Local Computer → Personal. 

• Avoid binding to specific IP addresses unless necessary. 

• Ensure proper permissions for IIS worker processes. 

Confirmed Fix: 

Exporting the certificate including private key from MMC and re-importing it into the same store resolved the issue. 

 

Related Articles: 

How to Add a Cross-Sign Certificate to the Chain on Windows Platform (IIS)

Tags: