Microsoft KB Archive/313494

= Microsoft Cryptography API may not work if the default CSP has been set incorrectly =

Article ID: 313494

Article Last Modified on 10/29/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q313494



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
When the Microsoft Cryptography API is running in the system security context (typically as a service), various functions may not work. This symptom may also occur under a user context. Because many programs use the Cryptography API, it is not possible to document every possible error message for this issue. However, the following list describes some of the more common symptoms:  When you try to start the Internet Service Manager snap-in locally on a Windows 2000-based server, you may receive the following error message:

Unable to enumerate web sites because the following error occurred: An internal error occurred.

 When you try to access the metabase by using Adsutil.vbs or Mdutil.exe, you may receive the following error message:

ErrNumber: -2146893792 (0x80090020)

Error Trying To ENUM the Object (GetObject Failed): w3svc

 Terminal Services Licensing may not start, and the following event may be generated:

Event ID 39

Source: TermSrvLicensing

Event String: Can't generate new public/private keys because of error 'Can't acquire Crypt Context, error 80090016.

 When you try to manually start the service, you may receive the following error message:

Windows could not start the Terminal Services Licensing on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -1073676287.

 Autoenrollment fails, and the following event may be generated:

Event Type: Warning

Event Source: Winlogon

Event Category: None

Event ID: 1010

Date: 3/28/2002

Time: 8:30:19 PM

User: N/A

Computer:

Description:

Automatic enrollment against the certification authority  for a certificate of type DomainController has failed. (0x80090020) An internal error occurred. Another certification authority will be tried.

 In Microsoft Internet Information Server version 5.0, if you perform certain certificate actions (for example, you request a certificate, or you import or export a certificate), you may receive one of the following error messages:

The private key that you are importing might require a cryptographic service provider that is not installed on your system.

-or-

Failed to generate the certificate request: an internal error occurred.

</ul>

<div class="cause_section">

CAUSE
This problem may occur because some third-party programs may set the systems Cryptography Service Provider (CSP) on Windows 2000 to a provider that is not usable to callers that do not specify a provider. In some situations this may cause problems, for example, if a strong provider is required. The Protected Storage service calls CryptAcquireContext without passing a specific provider. If the default CSP does not support the specified algorithm, the next available CSP could be used.

This appears to be related to programs that have only been tested on Windows 2000 versions prior to Windows 2000 Service Pack 2 (SP2). Windows 2000 SP2 ensures that the system is running high encryption and that different providers may be used. Microsoft testing indicates that this issue is only reproducible on a Windows 2000 SP2-based computer or a pre-Windows 2000 SP2-based computer with the High Encryption pack installed.

<div class="resolution_section">

RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix should have the following file attributes or later:

<pre class="fixed_text">  Date         Time   Version         Size       File name ---  10-Jan-2002  16:23  5.0.2195.4685     123,664  Adsldp.dll 10-Jan-2002 16:23  5.0.2195.4762     130,320  Adsldpc.dll 10-Jan-2002 16:23  5.0.2195.4016      62,736  Adsmsext.dll 10-Jan-2002 16:23  5.0.2195.4797     356,112  Advapi32.001 10-Jan-2002 16:23  5.0.2195.4797      41,744  Basesrv.dll 10-Jan-2002 16:23  5.0.2195.4571      82,704  Cmnquery.001 10-Jan-2002 16:23  5.131.2195.4558   466,704  Crypt32.001 10-Jan-2002 16:23  5.0.2195.4368      77,584  Cryptsvc.dll 10-Jan-2002 16:23  5.0.2195.4141     133,904  Dnsapi.dll 10-Jan-2002 16:23  5.0.2195.4379      91,408  Dnsrslvr.dll 10-Jan-2002 16:23  5.0.2195.4534      41,744  Dsfolder.001 10-Jan-2002 16:23  5.0.2195.4534     156,944  Dsquery.001 10-Jan-2002 16:23  5.0.2195.4574     110,352  Dsuiext.001 10-Jan-2002 16:23  5.0.2195.4630     145,680  Kdcsvc.dll 26-Nov-2001 16:33  5.0.2195.4680     199,440  Kerberos.dll 10-Jan-2002 16:23  5.0.2195.4797     708,880  Kernel32.dll 04-Sep-2001 08:32  5.0.2195.4276      71,024  Ksecdd.sys 09-Jan-2002 10:50  5.0.2195.4814     503,568  Lsasrv.dll 09-Jan-2002 10:50  5.0.2195.4814      33,552  Lsass.exe 07-Dec-2001 16:05  5.0.2195.4745     107,280  Msv1_0.dll 10-Jan-2002 16:23  5.0.2195.4594     306,960  Netapi32.dll 10-Jan-2002 16:23  5.0.2195.4686     359,184  Netlogon.dll 10-Jan-2002 16:23  5.0.2195.4797     476,432  Ntdll.dll 10-Jan-2002 16:23  5.0.2195.4746     916,240  Ntdsa.dll 02-Jan-2002 21:15  5.0.2195.4805   1,665,856  Ntoskrnl.exe 10-Jan-2002 16:23  5.0.2195.4822     119,568  Psbase.001 10-Jan-2002 16:23  5.0.2195.4748     388,368  Samsrv.dll 10-Jan-2002 16:23  5.0.2195.4583     128,784  Scecli.dll 10-Jan-2002 16:23  5.0.2195.4600     299,792  Scesrv.dll 10-Jan-2002 16:23  5.0.2195.4600      48,400  W32time.dll 06-Nov-2001 11:43  5.0.2195.4600      56,592  W32tm.exe 10-Jan-2002 16:23  5.0.2195.4769     125,712  Wldap32.dll 09-Jan-2002 10:50  5.0.2195.4814     503,568  Lsasrv.dll 10-Jan-2002 16:33  5.0.2195.4797     708,880  Kernel32.dll 10-Jan-2002 16:37  5.0.2195.4797     476,432  Ntdll.dll

<div class="workaround_section">

WORKAROUND
To work around this issue, note that Protected Storage now explicitly calls the required CSP for callers that do not specify a CSP to use.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.

<div class="moreinformation_section">

MORE INFORMATION
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 Datacenter Program and Windows 2000 Datacenter Server Product

For more information about how to install multiple hotfixes with only one reboot, click the following article number to view the article in the Microsoft Knowledge Base:

296861 How to install multiple Windows updates or hotfixes with only one reboot

Keywords: kbproductlink kbhotfixserver kbqfe kbwin2ksp4fix kbbug kbenv kberrmsg kbfix kbsecurity kbwin2000presp3fix kbwin2000sp3fix KB313494

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.