Re: CryptAcquireContext returns NTE_BAD_KEY_STATE?

From: Michael Pflug (bath.10.stitch321_at_spamgourmet.com)
Date: 02/12/04

• Next message: Michel Gallant: "Re: Interoperability between CryptoAPI and .NET"
• Previous message: Tom Lian: "Re: ScardConnect"
• In reply to: John Banes [MS]: "Re: CryptAcquireContext returns NTE_BAD_KEY_STATE?"
• Next in thread: Michael Pflug: "Re: CryptAcquireContext returns NTE_BAD_KEY_STATE?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 12 Feb 2004 21:40:24 +0100

Thank you, that sounds reasonable.
I can't tell whether the password has changed - it's a customer having this
problem.
I'll ask him.

So if I understand you right - the procedure should work, when another user
logs on (no workaround for the
problem, but a way to check if it is really a user-related problem)?
And: in case the original password of the failing user's account (it's the
local Admin!) can't be reset,
maybe because it's nont known anymore - is there a way to remove the old
keyset (there's nothing to be lost)
and regenerate a new?
Or in short: how do we get this PC back to work?

There is another symptom, I'd just like to know, if it is related:
There is also a routine to check whether there is a certificate in the
MY-store, that matches
certain criteria: usage: "Server Auth" and private key available.

This is actually the original problem - the server already had a working
certificate, but at once
the application started crashing, when trying to open the required
certificate.

It goes
CertOpenStore(Prov: NULL, Store: "MY")
(succeeds)
CertFindCertificateInStore(...)
which crashes. This only happens on the trouble-causing machine.

Also: what definitively was changed: the user added the "Internet
authentication service" and
"Certification service" before problems started (I hope I translated
correctly, I only know the
German localized terms).
Can these have any effect?

Regards,

Michael

"John Banes [MS]" <jbanes@online.microsoft.com> schrieb im Newsbeitrag
news:OnEgW7S8DHA.2064@TK2MSFTNGP11.phx.gbl...
> The Microsoft software CSPs encrypt the private keys using DPAPI
> (CryptProtectData), which encrypts this using a master key. The master key
> is encrypted with the user password.
>
> Things get a little tricky when the user's password is changed. The
> NTE_BAD_KEY_STATE error code is returned when the master key can't be
> decrypted. Typically, this is because the user's password has changed and
> DPAPI wasn't able to deal with it. Have you changed you password recently?
>
> The most common issue in this area occurs when a local (non-domain) user's
> password is administratively reset. On WinXP, this causes all data
protected
> by DPAPI (including user private keys) to be lost; at least until the
> password is set back. This is by design, and in fact is an important
> security feature.
>
> Regards,
>
> John Banes
> [Microsoft Security Developer]
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Please do not send email directly to this alias. This alias is for
newsgroup
> purposes only.
>
> "Michael Pflug" <bath.10.stitch321@spamgourmet.com> wrote in message
> news:O4Q%23xrP8DHA.2044@TK2MSFTNGP10.phx.gbl...
> > I have one certain Win2003-Server (so far), where a call to
> >
> > CryptAcquireContext
> >
> > will always result in NTE_BAD_KEY_STATE / 0x8009000B (note: _not_
> > NTE_BAD_KEYSET, which
> > would be a common result).
> >
> > The MSDN-Help doesn't even mention the possibility of this result for
> > CryptAcquireContext.
> >
> > To make sure, I made a small program, that does nothing else but:
> >
> > CryptAcquireContext(&hProv,NULL,MS_DEF_PROV,PROV_RSA_FULL,0)
> >
> > which results in NTE_BAD_KEY_STATE
> >
> > and another
> >
> >
CryptAcquireContext(&hProv,NULL,MS_DEF_PROV,PROV_RSA_FULL,CRYPT_NEWKEYSET)
> >
> > which results in NTE_EXISTS.
> >
> > On several other PCs with varying Windows-versions, it works (it's a
> > routine,
> > that is supposed to create a new server certificate with a private key).
> >
> > How - and when - can this happen?
> >
> > Regards,
> >
> > Michael
> >
> >
>
>

---

• Next message: Michel Gallant: "Re: Interoperability between CryptoAPI and .NET"
• Previous message: Tom Lian: "Re: ScardConnect"
• In reply to: John Banes [MS]: "Re: CryptAcquireContext returns NTE_BAD_KEY_STATE?"
• Next in thread: Michael Pflug: "Re: CryptAcquireContext returns NTE_BAD_KEY_STATE?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Entourage mail and PGP/GPG? ... > You can digitally sign messages and encrypt them using CA. ... > using a certificate for each recipient. ... > recipient uses this certificate to verify which private key was ... (microsoft.public.mac.office.entourage) Re: Encrypting Messages ... and private key situation, ... You encrypt a messages using SOMEONE ELSE's public key. ... > person that can decrypt that message is the one that has the matching ... > Use the public key from your certificate. ... (microsoft.public.outlook) Re: Need some information about certificates ... receiver uses your public key to verify the signature but for encryption you ... use an entities public key to encrypt the data and then the recipient uses ... their private key to decrypt the data. ... certificate installed on the server running my application. ... (microsoft.public.windows.server.security) Re: SSL questions ... The question of compromised certificate ... if you have the private key from the server's ... > knew about the session when the session was set up, ... > symmetric keys used to encrypt and decrypt all the messages. ... (sci.crypt) RE: SIMple SSL question ?? ... I believe your book is instructing you to keep the private key secure. ... you use the certificate request wizard in IIS to install the cert after it's ... the certificate that's just been installed. ... If an attacker retrievs the SSL certificate, ... (microsoft.public.dotnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)