SYMPTOMS
When you use the Advanced Networking Pack for Windows XP and
the optional Windows XP Peer-to-Peer Networking Component, you may receive the following error message from a peer-to-peer grouping or from the identity
management API:
PEER_E_NO_KEY_ACCESS
Additionally, the peer-to-peer
framework may not work as expected.
RESOLUTION
To resolve this behavior, do one or both of the following,
as appropriate to your situation:
Warning Make sure that you have a good understanding of access control in
Windows before you perform the procedures in this article. Incorrectly
modifying the access control list (ACL) of the folders that contain the RSA keys may result in
security issues and may also result in unpredictable behavior in programs that
are running on the computer.
Assign the User Account Full Control Permissions to the Folder
For processes that run in a security context that is associated
with a Windows user account, the RSA keys are stored in the following folder,
where
Drive is the drive where Windows is installed
and
UserSID is the security ID (SID) of the user:
Drive:\Documents and Settings\UserName\Application Data\Microsoft\Crypto\RSA\UserSID
To resolve this behavior, assign the user account Full Control
permissions to the folder. To do so:
- Start Windows Explorer, and then locate the following folder,
where Drive is the drive where Windows is installed
and UserSID is the security ID (SID) of the user:
Drive:\Documents and Settings\UserName\Application Data\Microsoft\Crypto\RSA\UserSID
- Right-click the folder, and then click
Properties.
- Click the Security tab.
- Do one of the following, as appropriate to your situation:
- If the user appears in the Group or user
names list, click the user. In the Permissions for
User list, click to select the Full
Control check box, and then click OK.
- If the user does not appear in the Group or
user names list, click Add. In the Select
Users or Group dialog box, type the name of the user who you want to
add, and then click OK. In the Permissions for
User list, click to select the Full
Control check box, and then click OK.
Note You can also use the Cacls.exe command-line utility to modify the
ACL on the folder. For more information about how to use Cacls, see Windows XP
Help and Support. To do so, click
Start, and then click
Help
and Support. In the
Search box, type
cacls, and then press ENTER.
Assign the Everyone Group Appropriate Permissions to the Folder
For processes that run as a Windows service in the LocalService,
NetworkService, or LocalSystem contexts, the RSA keys are created in the
following folder, where
Drive is the drive where
Windows is installed:
Drive:\Documents and Settings\AllUsers\Application Data\Microsoft\Crypto\RSA\MachineKeys folder.
Note In some cases, the
Drive:\Documents and Settings\AllUsers\Application Data\Microsoft\Crypto\RSA\MachineKeys folder is missing. In this situation, use the following method:
- Manually create a new folder that is called MachineKeys.
- Apply the permissions as outlined above.
To resolve this behavior, assign the Everyone group the following
permissions to the folder:
Read
Write
List Folder/Read Data
Read Attributes
Read Extended Attributes
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Read Permissions
Synchronize
To do so:
- Start Windows Explorer, and then locate the following folder,
where Drive is the drive where Windows is installed:
Drive:\Documents and Settings\AllUsers\Application Data\Microsoft\Crypto\RSA\MachineKeys folder.
- Right-click the folder, and then click
Properties.
- Click the Security tab.
- In the Group or user names list, click
Everyone, and then in the Permissions for
Everyone list, click to select the check
boxes under Allow for each of the permissions in the list
earlier in this article.
Note To assign special permissions, click Advanced
under Permissions for Everyone,
click Edit, and then click to select the check boxes under
Allow for each special permission that you want to
assign. - Click OK.
Additionally, when incorrect permissions are set on the
MachineKeys folder, the registration of an address by using Peer-to-Peer Name
Resolution Protocol (PNRP) may not work correctly. In this situation, you may
receive a generic "WSA failure" error message. To troubleshoot this behavior,
make sure that the Everyone group has appropriate permissions to the
MachineKeys folder.