Microsoft KB Archive/817754

= Peer-to-Peer Framework APIs return a &quot;PEER_E_NO_KEY_ACCESS&quot; error message =

Article ID: 817754

Article Last Modified on 7/13/2006

-

APPLIES TO


 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Tablet PC Edition

-



SYMPTOMS
When you use the Advanced Networking Pack for Windows XP and the optional Windows XP Peer-to-Peer Networking Component, you may receive the following error message from a peer-to-peer grouping or from the identity management API:

PEER_E_NO_KEY_ACCESS

Additionally, the peer-to-peer framework may not work as expected.



CAUSE
This behavior may occur if the permissions on the corresponding folder that contains the Rivest, Shamir, and Adelman (RSA) keys are modified by a user or program so that operations for the current security context are not permitted on that folder.

A peer framework API may return the &quot;PEER_E_NO_KEY_ACCESS&quot; error (for example, PeerIdentityCreate and PeerGroupCreate) when the security context where the API is invoked does not have access to the folder where the RSA keys for the specified account are stored.



RESOLUTION
To resolve this behavior, do one or both of the following, as appropriate to your situation:

Warning Make sure that you have a good understanding of access control in Windows before you perform the procedures in this article. Incorrectly modifying the access control list (ACL) of the folders that contain the RSA keys may result in security issues and may also result in unpredictable behavior in programs that are running on the computer.

Assign the User Account Full Control Permissions to the Folder
For processes that run in a security context that is associated with a Windows user account, the RSA keys are stored in the following folder, where  is the drive where Windows is installed and   is the security ID (SID) of the user:



To resolve this behavior, assign the user account Full Control permissions to the folder. To do so:  Start Windows Explorer, and then locate the following folder, where  is the drive where Windows is installed and   is the security ID (SID) of the user:



 Right-click the folder, and then click Properties. Click the Security tab. Do one of the following, as appropriate to your situation:  If the user appears in the Group or user names list, click the user. In the Permissions for  list, click to select the Full Control check box, and then click OK. If the user does not appear in the Group or user names list, click Add. In the Select Users or Group dialog box, type the name of the user who you want to add, and then click OK. In the Permissions for  list, click to select the Full Control check box, and then click OK.</ul> </li></ol>

Note You can also use the Cacls.exe command-line utility to modify the ACL on the folder. For more information about how to use Cacls, see Windows XP Help and Support. To do so, click Start, and then click Help and Support. In the Search box, type cacls, and then press ENTER.

Assign the Everyone Group Appropriate Permissions to the Folder
For processes that run as a Windows service in the LocalService, NetworkService, or LocalSystem contexts, the RSA keys are created in the following folder, where  is the drive where Windows is installed:



Note In some cases, the :\Documents and Settings\AllUsers\Application Data\Microsoft\Crypto\RSA\MachineKeys folder is missing. In this situation, use the following method:
 * 1) Manually create a new folder that is called MachineKeys.
 * 2) Apply the permissions as outlined above.

To resolve this behavior, assign the Everyone group the following permissions to the folder:

Read

Write

List Folder/Read Data

Read Attributes

Read Extended Attributes

Create Files/Write Data

Create Folders/Append Data

Write Attributes

Write Extended Attributes

Read Permissions

Synchronize

To do so: <ol> Start Windows Explorer, and then locate the following folder, where  is the drive where Windows is installed:



</li> Right-click the folder, and then click Properties.</li> Click the Security tab.</li> In the Group or user names list, click Everyone, and then in the Permissions for  list, click to select the check boxes under Allow for each of the permissions in the list earlier in this article.

Note To assign special permissions, click Advanced under Permissions for , click Edit, and then click to select the check boxes under Allow for each special permission that you want to assign.</li> Click OK.</li></ol>

Additionally, when incorrect permissions are set on the MachineKeys folder, the registration of an address by using Peer-to-Peer Name Resolution Protocol (PNRP) may not work correctly. In this situation, you may receive a generic &quot;WSA failure&quot; error message. To troubleshoot this behavior, make sure that the Everyone group has appropriate permissions to the MachineKeys folder.

<div class="moreinformation_section">

MORE INFORMATION
For additional information about the Advanced Networking Pack for Windows XP and the Windows XP Peer-to-Peer Networking Component, click the following article number to view the article in the Microsoft Knowledge Base:

817778 Overview of the Advanced Networking Pack for Windows XP

Keywords: kbprb KB817754

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.