Spat's WebLog (Steve Patrick)

When things go wrong...

"The cryptographic operation failed due to a local security option setting"...Indeed.

"The cryptographic operation failed due to a local security option setting"...Indeed.

  • Comments 17

Kinda a one off odd one.. but I’ve seen it  more than once… so it gets a blog entry.

 

 

 

Failure to install any items digitally signed.

 

My most recent experience was with a chap who was getting this error and failed to install MDAC update. His environment: Windows 2000 Server in an NT4 domain. ( not that the domain etc..  matters much for this to occur  )

 

 

Here was the mdac update failure:

Run MDAC_TYP.EXE and you see a popup.

 

 

 

After this you see another error.

 

---------------------------

Advanced INF Installer

---------------------------

INF Install failure.  Reason: The cryptographic operation failed due to a local security option setting.

 

 

 

Additionally – if you look in the local  certificate store. MMC -> add certificates snapin for local machine.

 

 

 

 

 

 

Any attempt to view any cert in the Trusted Root store you will see the failure below:

 “The cryptographic operation failed due to a local security option setting”

 

 

 

 

 

What is going on here?? ( yes Joe.. I am an actor... )

 

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

 

State: 63c00

 

Here we see the defined flags:

 

 

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/wintrustsetregpolicyflags.asp

 

Value

Meaning

WTPF_TRUSTTEST

Trust any test certificate.

WTPF_TESTCANBEVALID

Check any test certificate for validity.

WTPF_IGNOREEXPIRATION

Use expiration date.

WTPF_IGNOREREVOKATION

Do revocation check.

WTPF_OFFLINEOK_IND

If the source is offline, trust any individual certificates.

WTPF_OFFLINEOK_COM

If the source is offline, trust any commercial certificates.

WTPF_OFFLINEOKNBU_IND

If the source is offline, trust any individual certificates. Do not use the user interface (UI).

WTPF_OFFLINEOKNBU_COM

If the source is offline, trust any commercial certificates. Do not use the checking UI.

WTPF_VERIFY_V1_OFF

Turn off verification of version 1.0 certificates.

WTPF_IGNOREREVOCATIONONTS

Ignore time stamp revocation checks.

WTPF_ALLOWONLYPERTRUST

Allow only items in personal trust database.

 

 

 

"C:\Program Files\Microsoft Visual Studio 8\VC\PlatformSDK\Include\WinTrust.h

 

 

The ones related to this blog are in bold below:

 

 

#define WTPF_TRUSTTEST              0x00000020  // trust any "TEST" certificate

#define WTPF_TESTCANBEVALID         0x00000080

#define WTPF_IGNOREEXPIRATION       0x00000100  // Use expiration date

#define WTPF_IGNOREREVOKATION       0x00000200  // Do revocation check

#define WTPF_OFFLINEOK_IND          0x00000400  // off-line is ok individual certs

#define WTPF_OFFLINEOK_COM          0x00000800  // off-line is ok commercial certs

#define WTPF_OFFLINEOKNBU_IND       0x00001000  // off-line is ok individual certs, no bad ui

#define WTPF_OFFLINEOKNBU_COM       0x00002000  // off-line is ok commercial certs, no bad ui

#define WTPF_VERIFY_V1_OFF          0x00010000  // turn verify of v1 certs off

#define WTPF_IGNOREREVOCATIONONTS   0x00020000  // ignore TimeStamp revocation checks

#define WTPF_ALLOWONLYPERTRUST      0x00040000  // allow only items in personal trust db.

 

So when it has the 0x00040000   flag set – it will only allow items in the trusted publisher store.

Most folks will find that their trusted publisher store is empty.

 

You can add the required trusted root cert to the trusted publisher store – or simply change the flags to State: 23c00

 

How would your flags be set to such a value? If you are using software restricion policies ( SAFER ) and have configured  Trusted Publisher settings perhaps?

 

 

 

 

Another time it may be handy to edit these trusted publisher  flags – is if you have a proxy\firewall which requires machine authentication and something is installing in the machine context.

 

Like:

 

Symptom: Unable to upgrade to SMS 2003 SP1 Advanced clients to SMS 2003 SP2 Advanced client.
Push install fails
Manual install fails

Installation process hangs - does not complete; does not end.

 

You can change the state to 23e00 which will change it so “Do revocation check.” Is off, and then perform the installation. This would be a temporary measure.
 
A friendlier method may be to use setreg from http://msdn.microsoft.com/library/default.asp?url=/workshop/security/authcode/signing.asp
 

SetReg

The SetReg utility is used to set the value of the registry keys controlling the behavior of the Authenticode certificate verification process. These keys are called the Software Publishing State Keys. When SetReg has completed the requested action, the current state of the Software Publishing State Keys is displayed.

 
 
EDIT:: one more -  if you have this set the "wrong" way - you will also get a failure trying to download new security 
updates from Windows Update web site.. you will see error: 0x80092026
 
spat
 
 
 
 
 
Leave a Comment
  • Please add 4 and 5 and type the answer here:
  • Post
  • Thanks a million for this one.  I've been trying to resolve it for weeks!  I have a Windows 2003 DC that wouldn't get updates and installing them manually was a pain.
  • wow - cool , im glad to see it helped someone! Maybe this blog thing really works... ive been wondering if any of these tips \ mini KB's help anyone. thx for the feedback!
  • Hi, i am getting this on a site and this is affecting all the DCs. Tried the flags (were set as recommended already) so not sure what else to try from here?
  • You may also want to try some of the steps in http://support.microsoft.com/kb/822798
  • I've been seeing this error for a while now  - not only on Windows Update but also because it prevents Windows Live Messenger from signing in... I must have visited dozens of sites which suggest the options noted in the KB article that SpatDSG posted earlier, but nothing worked except your solution. Great work!
  • After days of reading, fussing and cussing, this solved my problem. Thanx a million

  • Wonderfull !!!

    Thank you

    m@x

  • Yet another salvation story! I grumbled about my MS installer failure problems for weeks until I happened to try and set up a secure website on this server and noticed the certificate error. That's when I found this site and it fixed me right up. Thanks a bunch!

  • Wow - thanks! :) Yaknow the interesting thing about this post - is that I started the thing with saying "Kinda a one off odd one.. but I’ve seen it  more than once… so it gets a blog entry."  But there seem to be quite a few of these cases.. I wonder how the policy is being changed.

    odd.

  • Thanks - I had major problems starting Symantec Antivirus and accessing Windows Update. I knew it was a code signing problem, but I was unable to find how to cure it. To fix the problem I applied your solution, but instead of HKEY_CURRENT_USER I had to change the settings under HKEY_USERS\S-1-5-18\Software... to get the settings applied to LocalSystem.

    -LarsP

  • This may also comes into play if you enable the Trusted Publishers settings in W2K8\Vista Certificate Path Validation Settings policy.

    Example:

    The setting "Allow only enterprise administrators to manage Trusted Publishers" will stop the Windows Defender service from starting.

    Log Name:      System

    Source:        Service Control Manager

    Date:          4/4/2008 1:07:10 PM

    Event ID:      7023

    Task Category: None

    Level:         Error

    Keywords:      Classic

    User:          N/A

    Computer:      DarkStar.ds1.ltcorp.tree

    Description: The Windows Defender service terminated with the following error: The cryptographic operation failed due to a local security option setting.

    Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

     <System>

       <Provider Name="Service Control Manager" Guid="{555908D1-A6D7-4695-8E1E-26931D2012F4}" EventSourceName="Service Control Manager" />

       <EventID Qualifiers="49152">7023</EventID>

       <Version>0</Version>

       <Level>2</Level>

       <Task>0</Task>

       <Opcode>0</Opcode>

       <Keywords>0x80000000000000</Keywords>

       <TimeCreated SystemTime="2008-04-04T17:07:10.000Z" />

       <EventRecordID>12644</EventRecordID>

       <Correlation />

       <Execution ProcessID="0" ThreadID="0" />

       <Channel>System</Channel>

       <Computer>DarkStar.ds1.ltcorp.tree</Computer>

       <Security />

     </System>

     <EventData>

       <Data Name="param1">Windows Defender</Data>

       <Data Name="param2">%%2148081702</Data>

     </EventData>

    </Event>

  • Your solution works like a charm.  Once I change the state to 23c00 the install worked.

    So simple and quick compared to the microsoft solutions (which didn't work).

    MANY MANY THANKS.

    Simon

  • Thank you! I unwittingly activated Software Restriction Policies and this caused no small amount of head banging.

    Ben Northway

  • PingBack from http://www.hilpers.com/1175925-update-ueber-wsus-schlaegt-fehl

  • Hello, I had to change it back to 63c00 to make my windows update work.

    http://msn-errors.blogspot.com/2007/02/fix-8004888d-error.html

Page 1 of 2 (17 items) 12