Changing service account for HSI services loses cryptographic key (192412)

CAUSE

When Host Security is initially installed, the service user account is given a cryptographic key based on the user ID that was chosen during the installation setup process. This information is then taken and put into the registry and is referenced when the HSI services start.

If the user account has changed, it will not match the original cryptographic key information, causing the Host Account Cache (HAC) to become corrupted and HAC lookups to fail. Reviewing the application log in the Event Viewer will show the following errors coming from source SNA Host Security:

Event ID 1244
Unable to import cryptographic key into container Supplied code
0x8009000d

Event ID 594
Host Process - was unable to create connection handle to connect to PMP

Event ID 629
Host Process - was unable to create connection handle to connect to UDB

MORE INFORMATION

HSI is comprised of three services: SNAPMP, SNADATABASE and SNAHOSTPROCESS. The SNAPMP and SNADATABASE services must run under the same service account because of the way that HSI was implemented. The SNAHOSTPROCESS service is installed with the core SNA gateway and can use a different service account.

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

235472 Host security services must run in same Windows service account

248354 Changing password on Host Security service account causes SSO to fail

Changing service account for HSI services loses cryptographic key (192412)

SYMPTOMS

CAUSE

WORKAROUND

STATUS

MORE INFORMATION