User cannot gain access to certificate functionality after password change or when using a roaming profile (331333)
The information in this article applies to:
- Microsoft Windows XP Professional
This article was previously published under Q331333 Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base: 256986 Description of the Microsoft Windows registry SYMPTOMSWhen a user tries to use certificate functionality after
they change their password or when they use a roaming profile, they may lose
access to this certificate functionality. Certificate functionality that may
not work as before includes the following:
- Accessing files that are encrypted with Encrypting File
System (EFS)
- Accessing a secure Web page that requires certificate
authentication
- Signing e-mail with Secure/Multipurpose Internet Mail
Extensions (S/MIME)
When they try to access a secure Web site, the following error
message is logged: Schannel Event: 36870
A
fatal error occurred when you try to access the SSL client credential private
key. The error code returned from the cryptographic module is 0x80090016.
CAUSEThis problem occurs only if the client user account is in a
Microsoft Windows NT 4.0 domain and if they are logged on to a Microsoft
Windows XP Professional workstation. The Windows XP version of the Data
Protection API (DPAPI) function helps to protect EFS private keys and other
data that you want to keep secure. The recovery functionality of DPAPI is not
supported for users who are members of domains that are running Microsoft
Windows NT 4.0 and earlier.RESOLUTION To maintain client access to certificate functionality
after users change their passwords or when they use roaming profiles, upgrade
the domain to Active Directory directory service. Active Directory domains
provide a mechanism that helps to protect the DPAPI master key with a
public/private key pair. (The DPAPI master key is used to help protect EFS
private keys and other certificate-based functions.) In a Windows NT
4.0 domain, the ability to restore access to the certificate keys and data is
located on the workstation. This is not the case in a Microsoft Windows 2000
domain. Because the recovery mechanism is not located on the workstation,
Windows 2000 domains provide a significant additional level of protection for
certificates if the workstation is physically compromised. Although
you only have to upgrade a single domain controller to take advantage of the
DPAPI domain recovery mechanism, consider upgrading at least two domain
controllers for fault-tolerance purposes. It is highly recommended
that you plan your Active Directory before you implement it. For more
information about Active Directory design, visit the following Microsoft Web
site: WORKAROUNDTo work around this problem, install Windows XP Service Pack
1 (SP1) or later on the client workstation, and then create the following
registry entry to emulate Windows 2000 behavior. Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Follow these steps, and then quit Registry Editor:
- Click Start, click Run,
type regedit, and then click OK.
- Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb - On the Edit menu, point to
New, and then click DWORD value.
- Type MasterKeyLegacyNt4Domain, and
then press ENTER.
- On the Edit menu, click
Modify.
- Type 1, and then click
OK.
After you create this entry, the client will
determine if the user is a member of a Windows NT 4.0 domain. If they are a
member, the Windows XP client will emulate the Windows 2000 behavior, and DPAPI
will give users with changed passwords access to their keys. Note If you work around this problem by editing the registry, you only
change the behavior that is described in the Symptoms section from the time
that you make the registry change. Any password changes that were made before
the change to the registry are not be undone and you will still receive an
"access denied" error message when you open the EFS file. Important security implicationsUsing this registry entry substantially decreases the security of
a physically compromised computer. An attacker with physical access to the
computer could access some or all EFS-encrypted files and any Certificate
private keys on it. Recover access to the files after a password changeTo regain access to the certificate functionality on an individual
workstation after a password change, change the password back to the password
that was used when the files were last encrypted. Note These steps only change the password that you use to log on to
your computer. They do not change your domain password.
- Log on to the computer as the user with the current
password.
- Click Start, and then click
Control Panel.
- Double-click User Accounts.
- Click to select your user name.
- Click Reset password.
- Type your original password in the New
password text box, and then type the password in the Confirm
new password text box. Click OK.
- Restart your computer.
STATUS This
behavior is by design.
| Modification Type: | Minor | Last Reviewed: | 4/14/2006 |
|---|
| Keywords: | kbprb KB331333 |
|---|
|