Today I came across an issue where the Dynamics AX 2009 Application Object Server (AOS) did not start after the Service Account was changed to a dedicated Service Account with limited permission.
The following error was logged to the Application Event Log:
When this error is logged, the AOS was unable to access a key container which is part of the Windows CryptoAPI (see also Understanding Machine-Level and User-Level RSA Key Containers). The AOS uses the CryptoAPI to decode license values and therefore creates a machine-level key container.
This machine-level key container is represented by the CryptoAPI as a file on the hard drive. If the AOS Service Account has no access to the key container file, this error message is logged.
As outlined in the BLOG post Key Containers: Basics you can use Process Monitor during the AOS start to check which file represents the key container the AOS is using and grant the AOS Service Account explicit access to this file.
In my case (demo environment) I used a much more radical approach and simply granted the AOS Service Account access to the whole folder where the key container files are stored.