Re: CryptAcquireContext fails with error (8009000F)

From: Ryan Menezes [MSFT] (ryanmen_at_online.microsoft.com)
Date: 07/30/04

  • Next message: mschnecke: "Import certificate to service account using command line tool certmgr.exe" 
    Date: Fri, 30 Jul 2004 00:52:26 -0700

    If you are using CryptAcquireContext in side a service and impersonating a
    user, ensure that the user profile is loaded with LoadUserProfile.

    If you get a combination of NTE_BAD_KEYSET and NTE_KEY_EXISTS for 0 and
    CRYPT_NEWKEYSET with machine keys, it normally indicates you dont have the
    correct ACLs on the key containers. 

    -- 
Thanks,
Ryan Menezes [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Yasir Ali" <YasirAli@discussions.microsoft.com> wrote in message
news:A16B7A19-2686-4F79-B7D3-A1F4968DADBF@microsoft.com...
> I am having a similar problem, where I CryptAcquireContext fails with
NTE_BAD_KEYSET. At that point I tried to generate a new container with
CRYPT_NEWKEYSET but that fails as well.
>
> Any help will be appreciated.
>
> I have attached a sample piece of code where I have the following 4
functions:
>
>  -loadCertificate takes in a hash and fills up PCRYPT_KEY_PROV_INFO struct
>  -ms2opensslX509 makes an ssl x509 cert out of it.
>  -ms2opensslRSANoPrivateKey tries to acquire the context
>   based on the information returned in PCRYPT_KEY_PROV_INFO.
>
>   However that function call fails when used on machine bootup.
>
>   The objective was to use the machine certificate on boot up for
>   authentication. The code that worked for machine and user
>   authentication (TLS) worked when the user had already logged in
>   and performed authentication through a desktop utility.
>
>   However, it fails "sometimes" when run in a service on boot up.
>
>   In the code below why does getCryptProv fail sometimes with error
>   key set does not exist. What is a workaround for that?
>
>   I tried CryptAcquireContext with CRYPT_NEWKEYSET flag if
>   it failed with NTE_BAD_KEYSET. That did not resolve it.
>  */
> static int loadCertificate( PCRYPT_HASH_BLOB pHash)
> {
>     //....continued.....
>     DWORD keyFlags = 0;
>
>     if (pHash == NULL)
>     {
>         DWORD propId = CERT_KEY_PROV_INFO_PROP_ID;
>
>         if ( ( pCertContext = CertFindCertificateInStore
>             ( hSystemStoreHandle,
>             X509_ASN_ENCODING,
>             0,
>             CERT_FIND_PROPERTY,
>             &propId,
>             pCertContext ) ) == NULL )
>         {
>             dbprint("Could not find a certificate with a NULL hash.\n");
>             res = 0;
>             goto end;
>         }
>     }
>     else
>     {
>         if ( ( pCertContext = CertFindCertificateInStore
>             ( hSystemStoreHandle,
>             X509_ASN_ENCODING,
>             0,
>             CERT_FIND_HASH,
>             pHash,
>             pCertContext ) ) == NULL )
>         {
>
>             dbprint("Could not find a certificate with a given hash.\n");
>             res = 0;
>             goto end;
>         }
>     }
>
>     CertGetCertificateContextProperty(pCertContext,
>         CERT_KEY_PROV_INFO_PROP_ID, NULL, &cbData);
>     if ((pinfo = (PCRYPT_KEY_PROV_INFO)malloc(cbData)) == NULL)
>     {
>         res = 0;
>         goto end;
>     }
>
>     if (!CertGetCertificateContextProperty(pCertContext,
CERT_KEY_PROV_INFO_PROP_ID,
>         pinfo, &cbData))
>     {
>         dbprint("Error in CertGetCertificateContextProperty (%x)\n",
GetLastError());
>         res = 0;
>         goto end;
>     }
>
>     cert = ms2opensslX509(pCertContext->pbCertEncoded,
pCertContext->cbCertEncoded);
>     if (SSL_use_certificate(con, cert) != 1)
>     {
>         dbprint("Error in SSL_use_certificate\n");
>         res = 0;
>         goto end;
>     }
>
>     if ( global.machineKeyset )
>     {
>         keyFlags |= CRYPT_MACHINE_KEYSET;
>     }
>
>     key = ms2opensslRSANoPrivateKey(pinfo, keyFlags);
>
>     if (key == NULL) {
>         res = 0;
>         dbprint( "ms2opensslRSANoPrivateKey did not return a key\n" );
>         goto end;
>     }
>     //....continued.....
>
> }
>
>
> RSA *ms2opensslRSANoPrivateKey(PCRYPT_KEY_PROV_INFO pinfo, int flags)
> {
>     //....continued.....
>
>     MSKeyContext  *ctx;
>
>     if ((ctx = malloc(sizeof(MSKeyContext))) == NULL)
>     {
>         goto err;
>     }
>
>     if ((ctx->hCryptProv = getCryptProv(pinfo, flags)) == 0)
>     {
>         //!!!!!!!!!!!!!!! FAILS SOMETIMES WHY??!!!!!!!!!!!!!!//
>         // Error message is that a keyset does not exist //
>         // Why can it not find it? //
>         goto err;
>     }
>
>     //....continued.....
> }
>
> static HCRYPTPROV getCryptProv(PCRYPT_KEY_PROV_INFO pinfo, int flags)
> {
>     HCRYPTPROV hProv = 0;
>
>     if(!CryptAcquireContext(
>         &hProv,
>         pinfo->pwszContainerName,
>         NULL,
>         pinfo->dwProvType,
>         flags))
>     {
>          //dbprint( "CrypAcquireContext failed\n" );
>     }
>     return hProv;
> }
>
> -- 
> Yasir Ali
> Software Engineer
> Meetinghouse Data Communications
>
>
> "sachin" wrote:
>
> > I am running the following code on XP machines. On some of the machines
it
> > gives error 8009000F at the place that I have marked in the code ###.
Error
> > description says "Object already exists." When does this error occur?
> >
> > LPCSTR UserName = "MyName";
> >
> > if (RCRYPT_FAILED(CryptAcquireContext(&hCryptProv, UserName,
> > MS_ENHANCED_PROV,  PROV_RSA_FULL, 0) ) ){
> >     if(GetLastError() == NTE_BAD_KEYSET){
> >         if (RCRYPT_FAILED(CryptAcquireContext(&hCryptProv, UserName,
> > MS_ENHANCED_PROV,
> >
> > PROV_RSA_FULL, CRYPT_NEWKEYSET) ) ){
> >                  printf("Could not get crypto context
%x",GetLastError() );
> > #############ERROR###########
> >         }
> >         else{
> >             return TRUE;
> >        }
> >    }
> > }
> > else{
> >     return TRUE;
> >  }
> > return FALSE;
> >
> >
> >
> > Thanks,
> > Sachin
> >
> >
> >
  • Next message: mschnecke: "Import certificate to service account using command line tool certmgr.exe"

    Relevant Pages

    • Re: CryptAcquireContext fails with error (8009000F)
      ... why dont you specify pinfo->pwszProvName in the CryptAcquireContext call? ... "Yasir Ali" wrote in message ... CRYPT_NEWKEYSET but that fails as well. ... > RSA *ms2opensslRSANoPrivateKey(PCRYPT_KEY_PROV_INFO pinfo, int flags) ...
      (microsoft.public.platformsdk.security)
    • Re: [ISA 2004] Probleme mit WUS
      ... Synchronisation Fails dues to Authentication Failure ... WUS fails to download content into D drive. ... remote server. ... If you are using ISA server, then enable Digest Authentication on the ISA ...
      (microsoft.public.de.german.isaserver)
    • Re: password protected webpage
      ... It would be helpful to know if authentication or authorization ... fails. ... When you enter your>> username and password the page loads. ... >> to restart it 15 times a day. ...
      (microsoft.public.inetserver.iis.security)
    • Re: SQL Server w/ Redundant Domain Controllers
      ... check if the service account password has been changed when the service restart fails ... if SQL server is restarted it will authenticate against DC2. ... how long it should take for authentication requests to switch to DC2, ... Your DNS ...
      (microsoft.public.sqlserver.security)
    • Re: Multiple EAP-Types at WinXP clients
      ... > something´s wrong with the client certificate. ... > policy using PEAP which puts the PC into a special support-vlan. ... > At the IAS i can choose multiple authentication modes for the policy. ... > First using EAP-TLS and if that fails using PEAP. ...
      (microsoft.public.internet.radius)