Discussion:
AcquireCredentialsHandle fails with SEC_E_UNKNOWN_CREDENTIALS
(too old to reply)
Victor I. Zaslavsky
2003-07-12 08:18:18 UTC
Permalink
Hi folks,

AcquireCredentialsHandle fails on one of my servers with
SEC_E_UNKNOWN_CREDENTIALS error code. Unfortunatelly, I have found not tip
to understand why it happens.

Any help will be very appreciated.

Victor.
Yu Chen [MS]
2003-07-14 18:17:55 UTC
Permalink
Usually this error code is returned when you are passing in an unknown or
bad credential in pAuthData. What account is your program running as (i.e.
domain account or local account)? And what do you pass in pAuthData (what's
the domain and account)? If your program is running as local account but you
pass in a domain account in pAuthData you'll see this error.
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Victor I. Zaslavsky
Hi folks,
AcquireCredentialsHandle fails on one of my servers with
SEC_E_UNKNOWN_CREDENTIALS error code. Unfortunatelly, I have found not tip
to understand why it happens.
Any help will be very appreciated.
Victor.
Victor I. Zaslavsky
2003-07-15 11:43:10 UTC
Permalink
Hi,

1. Logon is done as domain user which is member of local administrator
group.

2. The certificate was found using the following code:
PCCERT_CONTEXT WINAPI CServerCredentials::CertFindForServerUsage(HCERTSTORE
hCertStore, PCCERT_CONTEXT pStart)
{
CTL_USAGE cu;
PCCERT_CONTEXT pCert;

LPSTR szArr[1];
szArr[0] = szOID_PKIX_KP_SERVER_AUTH;

cu.cUsageIdentifier = 1;
cu.rgpszUsageIdentifier = szArr;

return pCert = CertFindCertificateInStore(hCertStore, X509_ASN_ENCODING
,0,
CERT_FIND_CTL_USAGE, &cu, pStart);
}

3. Credential handle is obtained using
for ( m_pCertContext=NULL, Status=-1;FAILED(Status);)
{
m_pCertContext = CertFindForServerUsage(m_hMyCertStore, m_pCertContext );

if ( m_pCertContext == NULL )
{
Status = SEC_E_NO_CREDENTIALS;
break;
}

ZeroMemory(&m_SchannelCred, sizeof(m_SchannelCred));

m_SchannelCred.dwVersion = SCHANNEL_CRED_VERSION ;

m_SchannelCred.dwMinimumCipherStrength = 80 ;
m_SchannelCred.cCreds = 1 ;
m_SchannelCred.paCred = &m_pCertContext ;
m_SchannelCred.hRootStore = m_hMyCertStore ;
m_SchannelCred.grbitEnabledProtocols = 0 ; // let Schannel select a
protocol
m_SchannelCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS |
SCH_CRED_NO_SYSTEM_MAPPER |
SCH_CRED_REVOCATION_CHECK_CHAIN ;

Status = pSecurityFunc -> AcquireCredentialsHandle ( NULL,
UNISP_NAME,
SECPKG_CRED_INBOUND,
NULL,
& m_SchannelCred,
NULL,
NULL,
& m_hCreds,
& m_tsExpiry
) ;
}

At that point return code is SEC_E_UNKNOWN_CREDENTIALS. The problem occurs
not on each computer.

Regards,
Victor.
Post by Yu Chen [MS]
Usually this error code is returned when you are passing in an unknown or
bad credential in pAuthData. What account is your program running as (i.e.
domain account or local account)? And what do you pass in pAuthData (what's
the domain and account)? If your program is running as local account but you
pass in a domain account in pAuthData you'll see this error.
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Victor I. Zaslavsky
Hi folks,
AcquireCredentialsHandle fails on one of my servers with
SEC_E_UNKNOWN_CREDENTIALS error code. Unfortunatelly, I have found not tip
to understand why it happens.
Any help will be very appreciated.
Victor.
Victor I. Zaslavsky
2003-07-16 11:03:20 UTC
Permalink
System log:
"A fatal error occurred when attempting to access the SSL server credential
private key. The error code returned from the cryptographic module is
0x80090016."

The same error appears when EventLogging=1.

Thanks,
Victor.
Set the following registry value (assuming you are running on W2k/XP/W2k3)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHAN
NEL]
"EventLogging"=dword:00000007
reboot the machine, run your program for a repro. When the
AcquireCredentialsHandle call fails, do you see any interesting event
related to "Schannel" logged in application event log?
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Victor I. Zaslavsky
Hi,
1. Logon is done as domain user which is member of local administrator
group.
PCCERT_CONTEXT WINAPI
CServerCredentials::CertFindForServerUsage(HCERTSTORE
Post by Victor I. Zaslavsky
hCertStore, PCCERT_CONTEXT pStart)
{
CTL_USAGE cu;
PCCERT_CONTEXT pCert;
LPSTR szArr[1];
szArr[0] = szOID_PKIX_KP_SERVER_AUTH;
cu.cUsageIdentifier = 1;
cu.rgpszUsageIdentifier = szArr;
return pCert = CertFindCertificateInStore(hCertStore,
X509_ASN_ENCODING
Post by Victor I. Zaslavsky
,0,
CERT_FIND_CTL_USAGE, &cu, pStart);
}
3. Credential handle is obtained using
for ( m_pCertContext=NULL, Status=-1;FAILED(Status);)
{
m_pCertContext = CertFindForServerUsage(m_hMyCertStore,
m_pCertContext );
Post by Victor I. Zaslavsky
if ( m_pCertContext == NULL )
{
Status = SEC_E_NO_CREDENTIALS;
break;
}
ZeroMemory(&m_SchannelCred, sizeof(m_SchannelCred));
m_SchannelCred.dwVersion = SCHANNEL_CRED_VERSION ;
m_SchannelCred.dwMinimumCipherStrength = 80 ;
m_SchannelCred.cCreds = 1 ;
m_SchannelCred.paCred = &m_pCertContext ;
m_SchannelCred.hRootStore = m_hMyCertStore ;
m_SchannelCred.grbitEnabledProtocols = 0 ; // let Schannel select a
protocol
m_SchannelCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS |
SCH_CRED_NO_SYSTEM_MAPPER |
SCH_CRED_REVOCATION_CHECK_CHAIN ;
Status = pSecurityFunc -> AcquireCredentialsHandle ( NULL,
UNISP_NAME,
SECPKG_CRED_INBOUND,
NULL,
& m_SchannelCred,
NULL,
NULL,
& m_hCreds,
& m_tsExpiry
) ;
}
At that point return code is SEC_E_UNKNOWN_CREDENTIALS. The problem occurs
not on each computer.
Regards,
Victor.
Yu Chen [MS]
2003-07-16 17:51:31 UTC
Permalink
That error means the private key of the server certificate context you
passed into AcquireCredentialsHandle is bad. You can try to delete the old
certificate and install a new one and see if the problem goes away.
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Victor I. Zaslavsky
"A fatal error occurred when attempting to access the SSL server credential
private key. The error code returned from the cryptographic module is
0x80090016."
The same error appears when EventLogging=1.
Thanks,
Victor.
Set the following registry value (assuming you are running on W2k/XP/W2k3)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHAN
Post by Victor I. Zaslavsky
NEL]
"EventLogging"=dword:00000007
reboot the machine, run your program for a repro. When the
AcquireCredentialsHandle call fails, do you see any interesting event
related to "Schannel" logged in application event log?
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Victor I. Zaslavsky
Hi,
1. Logon is done as domain user which is member of local administrator
group.
PCCERT_CONTEXT WINAPI
CServerCredentials::CertFindForServerUsage(HCERTSTORE
Post by Victor I. Zaslavsky
hCertStore, PCCERT_CONTEXT pStart)
{
CTL_USAGE cu;
PCCERT_CONTEXT pCert;
LPSTR szArr[1];
szArr[0] = szOID_PKIX_KP_SERVER_AUTH;
cu.cUsageIdentifier = 1;
cu.rgpszUsageIdentifier = szArr;
return pCert = CertFindCertificateInStore(hCertStore,
X509_ASN_ENCODING
Post by Victor I. Zaslavsky
,0,
CERT_FIND_CTL_USAGE, &cu, pStart);
}
3. Credential handle is obtained using
for ( m_pCertContext=NULL, Status=-1;FAILED(Status);)
{
m_pCertContext = CertFindForServerUsage(m_hMyCertStore,
m_pCertContext );
Post by Victor I. Zaslavsky
if ( m_pCertContext == NULL )
{
Status = SEC_E_NO_CREDENTIALS;
break;
}
ZeroMemory(&m_SchannelCred, sizeof(m_SchannelCred));
m_SchannelCred.dwVersion = SCHANNEL_CRED_VERSION ;
m_SchannelCred.dwMinimumCipherStrength = 80 ;
m_SchannelCred.cCreds = 1 ;
m_SchannelCred.paCred = &m_pCertContext ;
m_SchannelCred.hRootStore = m_hMyCertStore ;
m_SchannelCred.grbitEnabledProtocols = 0 ; // let Schannel
select
Post by Victor I. Zaslavsky
a
Post by Victor I. Zaslavsky
protocol
m_SchannelCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS |
SCH_CRED_NO_SYSTEM_MAPPER |
SCH_CRED_REVOCATION_CHECK_CHAIN ;
Status = pSecurityFunc -> AcquireCredentialsHandle ( NULL,
UNISP_NAME,
SECPKG_CRED_INBOUND,
NULL,
& m_SchannelCred,
NULL,
NULL,
& m_hCreds,
& m_tsExpiry
) ;
}
At that point return code is SEC_E_UNKNOWN_CREDENTIALS. The problem
occurs
Post by Victor I. Zaslavsky
not on each computer.
Regards,
Victor.
Victor I. Zaslavsky
2003-07-19 11:07:16 UTC
Permalink
Yes,

I've did it already several times - it was the first think I did.

I use MMC Certificates snap-in to obtain certificate.

The problem occurs on Compaq Evo N800v with WinXP Professional. I have
attached the system information file.

BTW, I have some problem with "DecryptMessage" function (see my post "How to
decrypt message in parts"). Can you point me to somebody who can help me?

Thanks in advance,

Victor.
Post by Yu Chen [MS]
That error means the private key of the server certificate context you
passed into AcquireCredentialsHandle is bad. You can try to delete the old
certificate and install a new one and see if the problem goes away.
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Victor I. Zaslavsky
"A fatal error occurred when attempting to access the SSL server
credential
Post by Victor I. Zaslavsky
private key. The error code returned from the cryptographic module is
0x80090016."
The same error appears when EventLogging=1.
Thanks,
Victor.
Set the following registry value (assuming you are running on
W2k/XP/W2k3)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHAN
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
NEL]
"EventLogging"=dword:00000007
reboot the machine, run your program for a repro. When the
AcquireCredentialsHandle call fails, do you see any interesting event
related to "Schannel" logged in application event log?
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Victor I. Zaslavsky
Hi,
1. Logon is done as domain user which is member of local
administrator
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
Post by Victor I. Zaslavsky
group.
PCCERT_CONTEXT WINAPI
CServerCredentials::CertFindForServerUsage(HCERTSTORE
Post by Victor I. Zaslavsky
hCertStore, PCCERT_CONTEXT pStart)
{
CTL_USAGE cu;
PCCERT_CONTEXT pCert;
LPSTR szArr[1];
szArr[0] = szOID_PKIX_KP_SERVER_AUTH;
cu.cUsageIdentifier = 1;
cu.rgpszUsageIdentifier = szArr;
return pCert = CertFindCertificateInStore(hCertStore,
X509_ASN_ENCODING
Post by Victor I. Zaslavsky
,0,
CERT_FIND_CTL_USAGE, &cu, pStart);
}
3. Credential handle is obtained using
for ( m_pCertContext=NULL, Status=-1;FAILED(Status);)
{
m_pCertContext = CertFindForServerUsage(m_hMyCertStore,
m_pCertContext );
Post by Victor I. Zaslavsky
if ( m_pCertContext == NULL )
{
Status = SEC_E_NO_CREDENTIALS;
break;
}
ZeroMemory(&m_SchannelCred, sizeof(m_SchannelCred));
m_SchannelCred.dwVersion = SCHANNEL_CRED_VERSION ;
m_SchannelCred.dwMinimumCipherStrength = 80 ;
m_SchannelCred.cCreds = 1 ;
m_SchannelCred.paCred = &m_pCertContext ;
m_SchannelCred.hRootStore = m_hMyCertStore ;
m_SchannelCred.grbitEnabledProtocols = 0 ; // let Schannel
select
Post by Victor I. Zaslavsky
a
Post by Victor I. Zaslavsky
protocol
m_SchannelCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS |
SCH_CRED_NO_SYSTEM_MAPPER |
SCH_CRED_REVOCATION_CHECK_CHAIN ;
Status = pSecurityFunc -> AcquireCredentialsHandle ( NULL,
UNISP_NAME,
SECPKG_CRED_INBOUND,
NULL,
& m_SchannelCred,
NULL,
NULL,
& m_hCreds,
& m_tsExpiry
) ;
}
At that point return code is SEC_E_UNKNOWN_CREDENTIALS. The problem
occurs
Post by Victor I. Zaslavsky
not on each computer.
Regards,
Victor.
Yu Chen [MS]
2003-07-21 21:22:51 UTC
Permalink
If this only happens on one particular WinXP machine, maybe something is
wrong with the machine. If you have other WinXP machines, do you see the
same problem on them?

As to the DecryptMessage question, I don't think you can pass in seperate
header and trailer buffers.
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Victor I. Zaslavsky
Yes,
I've did it already several times - it was the first think I did.
I use MMC Certificates snap-in to obtain certificate.
The problem occurs on Compaq Evo N800v with WinXP Professional. I have
attached the system information file.
BTW, I have some problem with "DecryptMessage" function (see my post "How to
decrypt message in parts"). Can you point me to somebody who can help me?
Thanks in advance,
Victor.
Post by Yu Chen [MS]
That error means the private key of the server certificate context you
passed into AcquireCredentialsHandle is bad. You can try to delete the
old
Post by Yu Chen [MS]
certificate and install a new one and see if the problem goes away.
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
"A fatal error occurred when attempting to access the SSL server
credential
Post by Victor I. Zaslavsky
private key. The error code returned from the cryptographic module is
0x80090016."
The same error appears when EventLogging=1.
Thanks,
Victor.
Set the following registry value (assuming you are running on
W2k/XP/W2k3)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHAN
Post by Victor I. Zaslavsky
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
NEL]
"EventLogging"=dword:00000007
reboot the machine, run your program for a repro. When the
AcquireCredentialsHandle call fails, do you see any interesting event
related to "Schannel" logged in application event log?
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Victor I. Zaslavsky
Hi,
1. Logon is done as domain user which is member of local
administrator
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
Post by Victor I. Zaslavsky
group.
PCCERT_CONTEXT WINAPI
CServerCredentials::CertFindForServerUsage(HCERTSTORE
Post by Victor I. Zaslavsky
hCertStore, PCCERT_CONTEXT pStart)
{
CTL_USAGE cu;
PCCERT_CONTEXT pCert;
LPSTR szArr[1];
szArr[0] = szOID_PKIX_KP_SERVER_AUTH;
cu.cUsageIdentifier = 1;
cu.rgpszUsageIdentifier = szArr;
return pCert = CertFindCertificateInStore(hCertStore,
X509_ASN_ENCODING
Post by Victor I. Zaslavsky
,0,
CERT_FIND_CTL_USAGE, &cu, pStart);
}
3. Credential handle is obtained using
for ( m_pCertContext=NULL, Status=-1;FAILED(Status);)
{
m_pCertContext = CertFindForServerUsage(m_hMyCertStore,
m_pCertContext );
Post by Victor I. Zaslavsky
if ( m_pCertContext == NULL )
{
Status = SEC_E_NO_CREDENTIALS;
break;
}
ZeroMemory(&m_SchannelCred, sizeof(m_SchannelCred));
m_SchannelCred.dwVersion = SCHANNEL_CRED_VERSION ;
m_SchannelCred.dwMinimumCipherStrength = 80 ;
m_SchannelCred.cCreds = 1 ;
m_SchannelCred.paCred = &m_pCertContext ;
m_SchannelCred.hRootStore = m_hMyCertStore ;
m_SchannelCred.grbitEnabledProtocols = 0 ; // let Schannel
select
Post by Victor I. Zaslavsky
a
Post by Victor I. Zaslavsky
protocol
m_SchannelCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS |
SCH_CRED_NO_SYSTEM_MAPPER |
SCH_CRED_REVOCATION_CHECK_CHAIN ;
Status = pSecurityFunc -> AcquireCredentialsHandle ( NULL,
UNISP_NAME,
SECPKG_CRED_INBOUND,
NULL,
& m_SchannelCred,
NULL,
NULL,
& m_hCreds,
& m_tsExpiry
) ;
}
At that point return code is SEC_E_UNKNOWN_CREDENTIALS. The problem
occurs
Post by Victor I. Zaslavsky
not on each computer.
Regards,
Victor.
Victor I. Zaslavsky
2003-07-22 08:07:36 UTC
Permalink
This is the only Compaq Evo with XP we have. On other XP machines it works
as well as on Win2K machines.

Regards,
Victor.
Post by Yu Chen [MS]
If this only happens on one particular WinXP machine, maybe something is
wrong with the machine. If you have other WinXP machines, do you see the
same problem on them?
As to the DecryptMessage question, I don't think you can pass in seperate
header and trailer buffers.
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Victor I. Zaslavsky
Yes,
I've did it already several times - it was the first think I did.
I use MMC Certificates snap-in to obtain certificate.
The problem occurs on Compaq Evo N800v with WinXP Professional. I have
attached the system information file.
BTW, I have some problem with "DecryptMessage" function (see my post
"How
Post by Yu Chen [MS]
to
Post by Victor I. Zaslavsky
decrypt message in parts"). Can you point me to somebody who can help me?
Thanks in advance,
Victor.
Post by Yu Chen [MS]
That error means the private key of the server certificate context you
passed into AcquireCredentialsHandle is bad. You can try to delete the
old
Post by Yu Chen [MS]
certificate and install a new one and see if the problem goes away.
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
"A fatal error occurred when attempting to access the SSL server
credential
Post by Victor I. Zaslavsky
private key. The error code returned from the cryptographic module is
0x80090016."
The same error appears when EventLogging=1.
Thanks,
Victor.
Set the following registry value (assuming you are running on
W2k/XP/W2k3)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHAN
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
NEL]
"EventLogging"=dword:00000007
reboot the machine, run your program for a repro. When the
AcquireCredentialsHandle call fails, do you see any interesting
event
Post by Victor I. Zaslavsky
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
related to "Schannel" logged in application event log?
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Victor I. Zaslavsky
Hi,
1. Logon is done as domain user which is member of local
administrator
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
Post by Victor I. Zaslavsky
group.
PCCERT_CONTEXT WINAPI
CServerCredentials::CertFindForServerUsage(HCERTSTORE
Post by Victor I. Zaslavsky
hCertStore, PCCERT_CONTEXT pStart)
{
CTL_USAGE cu;
PCCERT_CONTEXT pCert;
LPSTR szArr[1];
szArr[0] = szOID_PKIX_KP_SERVER_AUTH;
cu.cUsageIdentifier = 1;
cu.rgpszUsageIdentifier = szArr;
return pCert = CertFindCertificateInStore(hCertStore,
X509_ASN_ENCODING
Post by Victor I. Zaslavsky
,0,
CERT_FIND_CTL_USAGE, &cu, pStart);
}
3. Credential handle is obtained using
for ( m_pCertContext=NULL, Status=-1;FAILED(Status);)
{
m_pCertContext = CertFindForServerUsage(m_hMyCertStore,
m_pCertContext );
Post by Victor I. Zaslavsky
if ( m_pCertContext == NULL )
{
Status = SEC_E_NO_CREDENTIALS;
break;
}
ZeroMemory(&m_SchannelCred, sizeof(m_SchannelCred));
m_SchannelCred.dwVersion = SCHANNEL_CRED_VERSION ;
m_SchannelCred.dwMinimumCipherStrength = 80 ;
m_SchannelCred.cCreds = 1 ;
m_SchannelCred.paCred = &m_pCertContext ;
m_SchannelCred.hRootStore = m_hMyCertStore ;
m_SchannelCred.grbitEnabledProtocols = 0 ; // let Schannel
select
Post by Victor I. Zaslavsky
a
Post by Victor I. Zaslavsky
protocol
m_SchannelCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS |
SCH_CRED_NO_SYSTEM_MAPPER |
SCH_CRED_REVOCATION_CHECK_CHAIN ;
Status = pSecurityFunc -> AcquireCredentialsHandle ( NULL,
UNISP_NAME,
SECPKG_CRED_INBOUND,
NULL,
& m_SchannelCred,
NULL,
NULL,
& m_hCreds,
& m_tsExpiry
) ;
}
At that point return code is SEC_E_UNKNOWN_CREDENTIALS. The
problem
Post by Victor I. Zaslavsky
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
occurs
Post by Victor I. Zaslavsky
not on each computer.
Regards,
Victor.
Vishal Mishra [MS]
2003-07-22 00:35:19 UTC
Permalink
How do you generate/acquire your server certificate?
SEC_E_UNKNOWN_CREDENTIALS mostly implies that the server certificate is bad.

One of the reason I have seen recently is:
You need to use a PROV_RSA_SCHANNEL or PROV_DH_SCHANNEL CSP when you enroll
for a server certificate.
eg When using the "makecert" utility please specify the SChannel CSP with
the switch -sy 12. The -sy switch specifies the CSP
type, and 12 specifies the RSA Schannel. (18 for DH Schannel)
--
Vishal Mishra [MSFT]
This posting is provided "AS IS" with no warranties and confers no rights.
Use of any included samples is subject to the terms specified at
http://www.microsoft.com/info/copyright.htm"
-------------------------------------------------------------------------
Post by Victor I. Zaslavsky
Yes,
I've did it already several times - it was the first think I did.
I use MMC Certificates snap-in to obtain certificate.
The problem occurs on Compaq Evo N800v with WinXP Professional. I have
attached the system information file.
BTW, I have some problem with "DecryptMessage" function (see my post "How
to
Post by Victor I. Zaslavsky
decrypt message in parts"). Can you point me to somebody who can help me?
Thanks in advance,
Victor.
Post by Yu Chen [MS]
That error means the private key of the server certificate context you
passed into AcquireCredentialsHandle is bad. You can try to delete the
old
Post by Yu Chen [MS]
certificate and install a new one and see if the problem goes away.
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
"A fatal error occurred when attempting to access the SSL server
credential
Post by Victor I. Zaslavsky
private key. The error code returned from the cryptographic module is
0x80090016."
The same error appears when EventLogging=1.
Thanks,
Victor.
Set the following registry value (assuming you are running on
W2k/XP/W2k3)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHAN
Post by Victor I. Zaslavsky
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
NEL]
"EventLogging"=dword:00000007
reboot the machine, run your program for a repro. When the
AcquireCredentialsHandle call fails, do you see any interesting event
related to "Schannel" logged in application event log?
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Victor I. Zaslavsky
Hi,
1. Logon is done as domain user which is member of local
administrator
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
Post by Victor I. Zaslavsky
group.
PCCERT_CONTEXT WINAPI
CServerCredentials::CertFindForServerUsage(HCERTSTORE
Post by Victor I. Zaslavsky
hCertStore, PCCERT_CONTEXT pStart)
{
CTL_USAGE cu;
PCCERT_CONTEXT pCert;
LPSTR szArr[1];
szArr[0] = szOID_PKIX_KP_SERVER_AUTH;
cu.cUsageIdentifier = 1;
cu.rgpszUsageIdentifier = szArr;
return pCert = CertFindCertificateInStore(hCertStore,
X509_ASN_ENCODING
Post by Victor I. Zaslavsky
,0,
CERT_FIND_CTL_USAGE, &cu, pStart);
}
3. Credential handle is obtained using
for ( m_pCertContext=NULL, Status=-1;FAILED(Status);)
{
m_pCertContext = CertFindForServerUsage(m_hMyCertStore,
m_pCertContext );
Post by Victor I. Zaslavsky
if ( m_pCertContext == NULL )
{
Status = SEC_E_NO_CREDENTIALS;
break;
}
ZeroMemory(&m_SchannelCred, sizeof(m_SchannelCred));
m_SchannelCred.dwVersion = SCHANNEL_CRED_VERSION ;
m_SchannelCred.dwMinimumCipherStrength = 80 ;
m_SchannelCred.cCreds = 1 ;
m_SchannelCred.paCred = &m_pCertContext ;
m_SchannelCred.hRootStore = m_hMyCertStore ;
m_SchannelCred.grbitEnabledProtocols = 0 ; // let Schannel
select
Post by Victor I. Zaslavsky
a
Post by Victor I. Zaslavsky
protocol
m_SchannelCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS |
SCH_CRED_NO_SYSTEM_MAPPER |
SCH_CRED_REVOCATION_CHECK_CHAIN ;
Status = pSecurityFunc -> AcquireCredentialsHandle ( NULL,
UNISP_NAME,
SECPKG_CRED_INBOUND,
NULL,
& m_SchannelCred,
NULL,
NULL,
& m_hCreds,
& m_tsExpiry
) ;
}
At that point return code is SEC_E_UNKNOWN_CREDENTIALS. The problem
occurs
Post by Victor I. Zaslavsky
not on each computer.
Regards,
Victor.
Victor I. Zaslavsky
2003-07-22 08:02:52 UTC
Permalink
I use MMC Snap-in in order to obtain the certificate:

1.. Run MMC using Start/Run/MMC.exe
2.. Add "Certificates" snap-in, computer account, local computer
3.. Right click on "Console Root/Certificates/Personal/Certificates" and choose "All tasks/Request new certificate" menu item
4.. Set "Advanced" checkbox on the "Certificate Type" wizard dialog
5.. Select "Microsoft RSA..." and Key length 1024 in the Cryptographic Service Providers wizard dialog
6.. I automatically have "CHIPPC-CA" in CA edit box and our exchange server computer name in the Coputer edit box of the Certification Authority wizard page
7.. Type some friendly name

The "The certificate request was succesfull." message box appears after I press Finish button and new certificate enters cerificate list.

The displayed proposes of the certificate are:

ž Proves your identity to a remote computer
ž Ensures the identity of a remote computer



Rgards,
Victor.
Post by Vishal Mishra [MS]
How do you generate/acquire your server certificate?
SEC_E_UNKNOWN_CREDENTIALS mostly implies that the server certificate is bad.
You need to use a PROV_RSA_SCHANNEL or PROV_DH_SCHANNEL CSP when you enroll
for a server certificate.
eg When using the "makecert" utility please specify the SChannel CSP with
the switch -sy 12. The -sy switch specifies the CSP
type, and 12 specifies the RSA Schannel. (18 for DH Schannel)
--
Vishal Mishra [MSFT]
This posting is provided "AS IS" with no warranties and confers no rights.
Use of any included samples is subject to the terms specified at
http://www.microsoft.com/info/copyright.htm"
-------------------------------------------------------------------------
Post by Victor I. Zaslavsky
Yes,
I've did it already several times - it was the first think I did.
I use MMC Certificates snap-in to obtain certificate.
The problem occurs on Compaq Evo N800v with WinXP Professional. I have
attached the system information file.
BTW, I have some problem with "DecryptMessage" function (see my post "How
to
Post by Victor I. Zaslavsky
decrypt message in parts"). Can you point me to somebody who can help me?
Thanks in advance,
Victor.
Post by Yu Chen [MS]
That error means the private key of the server certificate context you
passed into AcquireCredentialsHandle is bad. You can try to delete the
old
Post by Yu Chen [MS]
certificate and install a new one and see if the problem goes away.
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
"A fatal error occurred when attempting to access the SSL server
credential
Post by Victor I. Zaslavsky
private key. The error code returned from the cryptographic module is
0x80090016."
The same error appears when EventLogging=1.
Thanks,
Victor.
Set the following registry value (assuming you are running on
W2k/XP/W2k3)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHAN
Post by Victor I. Zaslavsky
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
NEL]
"EventLogging"=dword:00000007
reboot the machine, run your program for a repro. When the
AcquireCredentialsHandle call fails, do you see any interesting
event
Post by Victor I. Zaslavsky
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
related to "Schannel" logged in application event log?
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Victor I. Zaslavsky
Hi,
1. Logon is done as domain user which is member of local
administrator
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
Post by Victor I. Zaslavsky
group.
PCCERT_CONTEXT WINAPI
CServerCredentials::CertFindForServerUsage(HCERTSTORE
Post by Victor I. Zaslavsky
hCertStore, PCCERT_CONTEXT pStart)
{
CTL_USAGE cu;
PCCERT_CONTEXT pCert;
LPSTR szArr[1];
szArr[0] = szOID_PKIX_KP_SERVER_AUTH;
cu.cUsageIdentifier = 1;
cu.rgpszUsageIdentifier = szArr;
return pCert = CertFindCertificateInStore(hCertStore,
X509_ASN_ENCODING
Post by Victor I. Zaslavsky
,0,
CERT_FIND_CTL_USAGE, &cu, pStart);
}
3. Credential handle is obtained using
for ( m_pCertContext=NULL, Status=-1;FAILED(Status);)
{
m_pCertContext = CertFindForServerUsage(m_hMyCertStore,
m_pCertContext );
Post by Victor I. Zaslavsky
if ( m_pCertContext == NULL )
{
Status = SEC_E_NO_CREDENTIALS;
break;
}
ZeroMemory(&m_SchannelCred, sizeof(m_SchannelCred));
m_SchannelCred.dwVersion = SCHANNEL_CRED_VERSION ;
m_SchannelCred.dwMinimumCipherStrength = 80 ;
m_SchannelCred.cCreds = 1 ;
m_SchannelCred.paCred = &m_pCertContext ;
m_SchannelCred.hRootStore = m_hMyCertStore ;
m_SchannelCred.grbitEnabledProtocols = 0 ; // let Schannel
select
Post by Victor I. Zaslavsky
a
Post by Victor I. Zaslavsky
protocol
m_SchannelCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS |
SCH_CRED_NO_SYSTEM_MAPPER |
SCH_CRED_REVOCATION_CHECK_CHAIN ;
Status = pSecurityFunc -> AcquireCredentialsHandle ( NULL,
UNISP_NAME,
SECPKG_CRED_INBOUND,
NULL,
& m_SchannelCred,
NULL,
NULL,
& m_hCreds,
& m_tsExpiry
) ;
}
At that point return code is SEC_E_UNKNOWN_CREDENTIALS. The
problem
Post by Victor I. Zaslavsky
Post by Yu Chen [MS]
Post by Victor I. Zaslavsky
occurs
Post by Victor I. Zaslavsky
not on each computer.
Regards,
Victor.
John Banes [MS]
2003-07-22 06:33:43 UTC
Permalink
Ah, the dreaded NTE_BAD_KEYSET error code. This means that the private key
cannot be decrypted or cannot be accessed.

The most common reason for this error being returned when trying to use a
server certificate is that the certificate (and private key) was created
under one account (the administrator, say), and the server application is
trying to access it while running under a different account.

Is anything like this applicable to your situation?

Regards,

John Banes
[Microsoft Security Developer]

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.
Post by Victor I. Zaslavsky
"A fatal error occurred when attempting to access the SSL server credential
private key. The error code returned from the cryptographic module is
0x80090016."
The same error appears when EventLogging=1.
Thanks,
Victor.
Set the following registry value (assuming you are running on W2k/XP/W2k3)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHAN
Post by Victor I. Zaslavsky
NEL]
"EventLogging"=dword:00000007
reboot the machine, run your program for a repro. When the
AcquireCredentialsHandle call fails, do you see any interesting event
related to "Schannel" logged in application event log?
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Victor I. Zaslavsky
Hi,
1. Logon is done as domain user which is member of local administrator
group.
PCCERT_CONTEXT WINAPI
CServerCredentials::CertFindForServerUsage(HCERTSTORE
Post by Victor I. Zaslavsky
hCertStore, PCCERT_CONTEXT pStart)
{
CTL_USAGE cu;
PCCERT_CONTEXT pCert;
LPSTR szArr[1];
szArr[0] = szOID_PKIX_KP_SERVER_AUTH;
cu.cUsageIdentifier = 1;
cu.rgpszUsageIdentifier = szArr;
return pCert = CertFindCertificateInStore(hCertStore,
X509_ASN_ENCODING
Post by Victor I. Zaslavsky
,0,
CERT_FIND_CTL_USAGE, &cu, pStart);
}
3. Credential handle is obtained using
for ( m_pCertContext=NULL, Status=-1;FAILED(Status);)
{
m_pCertContext = CertFindForServerUsage(m_hMyCertStore,
m_pCertContext );
Post by Victor I. Zaslavsky
if ( m_pCertContext == NULL )
{
Status = SEC_E_NO_CREDENTIALS;
break;
}
ZeroMemory(&m_SchannelCred, sizeof(m_SchannelCred));
m_SchannelCred.dwVersion = SCHANNEL_CRED_VERSION ;
m_SchannelCred.dwMinimumCipherStrength = 80 ;
m_SchannelCred.cCreds = 1 ;
m_SchannelCred.paCred = &m_pCertContext ;
m_SchannelCred.hRootStore = m_hMyCertStore ;
m_SchannelCred.grbitEnabledProtocols = 0 ; // let Schannel
select
Post by Victor I. Zaslavsky
a
Post by Victor I. Zaslavsky
protocol
m_SchannelCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS |
SCH_CRED_NO_SYSTEM_MAPPER |
SCH_CRED_REVOCATION_CHECK_CHAIN ;
Status = pSecurityFunc -> AcquireCredentialsHandle ( NULL,
UNISP_NAME,
SECPKG_CRED_INBOUND,
NULL,
& m_SchannelCred,
NULL,
NULL,
& m_hCreds,
& m_tsExpiry
) ;
}
At that point return code is SEC_E_UNKNOWN_CREDENTIALS. The problem
occurs
Post by Victor I. Zaslavsky
not on each computer.
Regards,
Victor.
Victor I. Zaslavsky
2003-07-22 08:05:29 UTC
Permalink
Unfortunatelly, It isn't.
I use the same account for both obtaining the certificate and running the
application.

Regards,
Victor.
Post by John Banes [MS]
Ah, the dreaded NTE_BAD_KEYSET error code. This means that the private key
cannot be decrypted or cannot be accessed.
The most common reason for this error being returned when trying to use a
server certificate is that the certificate (and private key) was created
under one account (the administrator, say), and the server application is
trying to access it while running under a different account.
Is anything like this applicable to your situation?
Regards,
John Banes
[Microsoft Security Developer]
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.
Post by Victor I. Zaslavsky
"A fatal error occurred when attempting to access the SSL server
credential
Post by Victor I. Zaslavsky
private key. The error code returned from the cryptographic module is
0x80090016."
The same error appears when EventLogging=1.
Thanks,
Victor.
Set the following registry value (assuming you are running on
W2k/XP/W2k3)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHAN
Post by John Banes [MS]
Post by Victor I. Zaslavsky
NEL]
"EventLogging"=dword:00000007
reboot the machine, run your program for a repro. When the
AcquireCredentialsHandle call fails, do you see any interesting event
related to "Schannel" logged in application event log?
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Victor I. Zaslavsky
Hi,
1. Logon is done as domain user which is member of local
administrator
Post by John Banes [MS]
Post by Victor I. Zaslavsky
Post by Victor I. Zaslavsky
group.
PCCERT_CONTEXT WINAPI
CServerCredentials::CertFindForServerUsage(HCERTSTORE
Post by Victor I. Zaslavsky
hCertStore, PCCERT_CONTEXT pStart)
{
CTL_USAGE cu;
PCCERT_CONTEXT pCert;
LPSTR szArr[1];
szArr[0] = szOID_PKIX_KP_SERVER_AUTH;
cu.cUsageIdentifier = 1;
cu.rgpszUsageIdentifier = szArr;
return pCert = CertFindCertificateInStore(hCertStore,
X509_ASN_ENCODING
Post by Victor I. Zaslavsky
,0,
CERT_FIND_CTL_USAGE, &cu, pStart);
}
3. Credential handle is obtained using
for ( m_pCertContext=NULL, Status=-1;FAILED(Status);)
{
m_pCertContext = CertFindForServerUsage(m_hMyCertStore,
m_pCertContext );
Post by Victor I. Zaslavsky
if ( m_pCertContext == NULL )
{
Status = SEC_E_NO_CREDENTIALS;
break;
}
ZeroMemory(&m_SchannelCred, sizeof(m_SchannelCred));
m_SchannelCred.dwVersion = SCHANNEL_CRED_VERSION ;
m_SchannelCred.dwMinimumCipherStrength = 80 ;
m_SchannelCred.cCreds = 1 ;
m_SchannelCred.paCred = &m_pCertContext ;
m_SchannelCred.hRootStore = m_hMyCertStore ;
m_SchannelCred.grbitEnabledProtocols = 0 ; // let Schannel
select
Post by Victor I. Zaslavsky
a
Post by Victor I. Zaslavsky
protocol
m_SchannelCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS |
SCH_CRED_NO_SYSTEM_MAPPER |
SCH_CRED_REVOCATION_CHECK_CHAIN ;
Status = pSecurityFunc -> AcquireCredentialsHandle ( NULL,
UNISP_NAME,
SECPKG_CRED_INBOUND,
NULL,
& m_SchannelCred,
NULL,
NULL,
& m_hCreds,
& m_tsExpiry
) ;
}
At that point return code is SEC_E_UNKNOWN_CREDENTIALS. The problem
occurs
Post by Victor I. Zaslavsky
not on each computer.
Regards,
Victor.
Victor I. Zaslavsky
2003-07-22 15:01:37 UTC
Permalink
Hi folks,

The problem has desappeared somehow.

Regards,
Victor.
Post by Victor I. Zaslavsky
Hi folks,
AcquireCredentialsHandle fails on one of my servers with
SEC_E_UNKNOWN_CREDENTIALS error code. Unfortunatelly, I have found not tip
to understand why it happens.
Any help will be very appreciated.
Victor.
Loading...