Microsoft KB Archive/943358

From BetaArchive Wiki

Article ID: 943358

Article Last Modified on 10/12/2007


APPLIES TO

  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional


SYMPTOMS

On a computer that is running Windows XP, you visit a Web site that requires a client certificate. You are prompted to select a certificate as expected. However, after you select the appropriate certificate, you receive one of the following error messages, as appropriate for the version of Windows Internet Explorer that is running:

  • Windows Internet Explorer 7 for Windows XP

    Internet Explorer cannot display the webpage

  • Microsoft Internet Explorer 6

    The page cannot be displayed

Additionally, you experience the following symptoms:

  • The following Error event is logged in the System log:

    Event Type: Error
    Event Source: Schannel
    Event ID: 36870
    Description: A fatal error occurred when attempting to access the SSL client credential private key. The error code returned from the cryptographic module is 0x80090016.

  • You may receive the following error message when you try to install a certificate by using a certificate enrollment Web page such as the Microsoft Windows Certification Authority Web page:

    Unable to install the certificate:
    Error: 080090016


CAUSE

This problem occurs if the following conditions are both true:

  • Your user profile is located on a drive that is formatted with the NTFS file system.
  • You do not have sufficient rights to the private key in the user profile.

This problem may occur if the default permissions in the profile folder structure have been modified. This problem occurs if your user account is no longer listed in the Permissions list for the profile folder.

Note Because the FAT file system and the FAT32 file system do not support security permissions on files and on folders, you do not experience this problem if the profile is located on a drive that is formatted to use the FAT file system.

RESOLUTION

To resolve this problem, grant the appropriate rights to the private key. To do this, use one of the following methods.

Method 1: Use the command-line

  1. Click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type the following command, and then press ENTER:

    cacls "%appdata%\Microsoft\Crypto\RSA" /t /e /c /g %userdomain%\%username%:F

  3. Exit the Command Prompt window, and then exit Windows Internet Explorer, if it is running.

Method 2: Use the graphical user interface (GUI)

  1. If you are running Windows XP Home Edition, start the computer in safe mode. To do this, follow these steps:
    1. Start the computer, and then press F8 repeatedly.
    2. On the startup menu that appears, use the ARROW keys to select Safe Mode, and then press ENTER.
  2. Log on to Windows by using your user account.
  3. Configure Windows to show hidden files and folders. To do this, follow these steps:
    1. Click Start, and then click My Computer.
    2. On the Tools menu, click Folder Options.
    3. Click the View tab, click Show hidden files and folders, and then click OK.
  4. Start Windows Explorer, and then locate the following folder:

    drive:\Documents and Settings\userName\Application Data\Microsoft\Crypto

  5. Right-click the RSA folder, and then click Properties.
  6. Click the Security tab, and then click Advanced.

    Note The default permissions that appear in the Permissions entries list on the Permissions tab are listed in "More Information" section. By default, these permissions are inherited from your profile folder.
  7. Click to select the Replace permission entries on all child objects with entries shown here that apply to child objects check box, and then click OK.
  8. Click Yes when you are prompted to replace the permissions, and then click OK.
  9. If you are running Windows XP Home Edition, restart the computer in normal mode.


MORE INFORMATION

The following table displays the default permissions that appear in the Permission entries list on the Permissions tab of the Advanced Security Settings for RSA dialog box in Windows XP.

Type Name Permission Inherited From Apply To
Allow UserName Full Control C:\Documents and Settings\UserName This folder, subfolders and files
Allow SYSTEM Full Control C:\Documents and Settings\UserName This folder, subfolders and files
Allow Administrators Full Control C:\Documents and Settings\UserName This folder, subfolders and files


Keywords: kbeventlog kberrmsg kbexpertisebeginner kbtshoot kbprb KB943358



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/943358&oldid=232612
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki