Spat's WebLog (Steve Patrick)

"The cryptographic operation failed due to a local security option setting"...Indeed.

Kinda a one off odd one.. but I’ve seen it  more than once… so it gets a blog entry.

Failure to install any items digitally signed.

My most recent experience was with a chap who was getting this error and failed to install MDAC update. His environment: Windows 2000 Server in an NT4 domain. ( not that the domain etc..  matters much for this to occur  )

Here was the mdac update failure:

Run MDAC_TYP.EXE and you see a popup.

After this you see another error.

---------------------------

Advanced INF Installer

---------------------------

INF Install failure.  Reason: The cryptographic operation failed due to a local security option setting.

Additionally – if you look in the local  certificate store. MMC -> add certificates snapin for local machine.

Any attempt to view any cert in the Trusted Root store you will see the failure below:

 “The cryptographic operation failed due to a local security option setting”

What is going on here?? ( yes Joe.. I am an actor... )

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

State: 63c00

Here we see the defined flags:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/wintrustsetregpolicyflags.asp

"C:\Program Files\Microsoft Visual Studio 8\VC\PlatformSDK\Include\WinTrust.h

The ones related to this blog are in bold below:

#define WTPF_TRUSTTEST              0x00000020  // trust any "TEST" certificate

#define WTPF_TESTCANBEVALID         0x00000080

#define WTPF_IGNOREEXPIRATION       0x00000100  // Use expiration date

#define WTPF_IGNOREREVOKATION       0x00000200  // Do revocation check

#define WTPF_OFFLINEOK_IND          0x00000400  // off-line is ok individual certs

#define WTPF_OFFLINEOK_COM          0x00000800  // off-line is ok commercial certs

#define WTPF_OFFLINEOKNBU_IND       0x00001000  // off-line is ok individual certs, no bad ui

#define WTPF_OFFLINEOKNBU_COM       0x00002000  // off-line is ok commercial certs, no bad ui

#define WTPF_VERIFY_V1_OFF          0x00010000  // turn verify of v1 certs off

#define WTPF_IGNOREREVOCATIONONTS   0x00020000  // ignore TimeStamp revocation checks

#define WTPF_ALLOWONLYPERTRUST      0x00040000  // allow only items in personal trust db.

So when it has the 0x00040000   flag set – it will only allow items in the trusted publisher store.

Most folks will find that their trusted publisher store is empty.

You can add the required trusted root cert to the trusted publisher store – or simply change the flags to State: 23c00

How would your flags be set to such a value? If you are using software restricion policies ( SAFER ) and have configured  Trusted Publisher settings perhaps?

Another time it may be handy to edit these trusted publisher  flags – is if you have a proxy\firewall which requires machine authentication and something is installing in the machine context.

Like:

Symptom: Unable to upgrade to SMS 2003 SP1 Advanced clients to SMS 2003 SP2 Advanced client.

Push install fails

Manual install fails

Installation process hangs - does not complete; does not end.

You can change the state to 23e00 which will change it so “Do revocation check.” Is off, and then perform the installation. This would be a temporary measure.

A friendlier method may be to use setreg from http://msdn.microsoft.com/library/default.asp?url=/workshop/security/authcode/signing.asp

SetReg

The SetReg utility is used to set the value of the registry keys controlling the behavior of the Authenticode certificate verification process. These keys are called the Software Publishing State Keys. When SetReg has completed the requested action, the current state of the Software Publishing State Keys is displayed.

EDIT:: one more -  if you have this set the "wrong" way - you will also get a failure trying to download new security 

updates from Windows Update web site.. you will see error: 0x80092026

spat