"The cryptographic operation failed due to a local security option setting"…Indeed.


Kinda a one off odd one.. but I’ve seen it  more than once… so it gets a blog entry.


 


 


 


Failure to install any items digitally signed.


 


My most recent experience was with a chap who was getting this error and failed to install MDAC update. His environment: Windows 2000 Server in an NT4 domain. ( not that the domain etc..  matters much for this to occur  )


 


 


Here was the mdac update failure:


Run MDAC_TYP.EXE and you see a popup.


 


 



 


After this you see another error.


 


—————————


Advanced INF Installer


—————————


INF Install failure.  Reason: The cryptographic operation failed due to a local security option setting.


 


 



 


Additionally – if you look in the local  certificate store. MMC -> add certificates snapin for local machine.


 


 


 



 


 


 


Any attempt to view any cert in the Trusted Root store you will see the failure below:


 “The cryptographic operation failed due to a local security option setting”


 


 



 


 


 


What is going on here?? ( yes Joe.. I am an actor… )


 


 


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing


 


State: 63c00


 


Here we see the defined flags:


 


 


http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/wintrustsetregpolicyflags.asp


 








































Value


Meaning


WTPF_TRUSTTEST


Trust any test certificate.


WTPF_TESTCANBEVALID


Check any test certificate for validity.


WTPF_IGNOREEXPIRATION


Use expiration date.


WTPF_IGNOREREVOKATION


Do revocation check.


WTPF_OFFLINEOK_IND


If the source is offline, trust any individual certificates.


WTPF_OFFLINEOK_COM


If the source is offline, trust any commercial certificates.


WTPF_OFFLINEOKNBU_IND


If the source is offline, trust any individual certificates. Do not use the user interface (UI).


WTPF_OFFLINEOKNBU_COM


If the source is offline, trust any commercial certificates. Do not use the checking UI.


WTPF_VERIFY_V1_OFF


Turn off verification of version 1.0 certificates.


WTPF_IGNOREREVOCATIONONTS


Ignore time stamp revocation checks.


WTPF_ALLOWONLYPERTRUST


Allow only items in personal trust database.


 


 


 


“C:\Program Files\Microsoft Visual Studio 8\VC\PlatformSDK\Include\WinTrust.h


 


 


The ones related to this blog are in bold below:


 


 


#define WTPF_TRUSTTEST              0x00000020  // trust any “TEST” certificate


#define WTPF_TESTCANBEVALID         0x00000080


#define WTPF_IGNOREEXPIRATION       0x00000100  // Use expiration date


#define WTPF_IGNOREREVOKATION       0x00000200  // Do revocation check


#define WTPF_OFFLINEOK_IND          0x00000400  // off-line is ok individual certs


#define WTPF_OFFLINEOK_COM          0x00000800  // off-line is ok commercial certs


#define WTPF_OFFLINEOKNBU_IND       0x00001000  // off-line is ok individual certs, no bad ui


#define WTPF_OFFLINEOKNBU_COM       0x00002000  // off-line is ok commercial certs, no bad ui


#define WTPF_VERIFY_V1_OFF          0x00010000  // turn verify of v1 certs off


#define WTPF_IGNOREREVOCATIONONTS   0x00020000  // ignore TimeStamp revocation checks


#define WTPF_ALLOWONLYPERTRUST      0x00040000  // allow only items in personal trust db.


 


So when it has the 0x00040000   flag set – it will only allow items in the trusted publisher store.


Most folks will find that their trusted publisher store is empty.


 


You can add the required trusted root cert to the trusted publisher store – or simply change the flags to State: 23c00


 


How would your flags be set to such a value? If you are using software restricion policies ( SAFER ) and have configured  Trusted Publisher settings perhaps?


 


 


 


 


Another time it may be handy to edit these trusted publisher  flags – is if you have a proxy\firewall which requires machine authentication and something is installing in the machine context.


 


Like:


 

Symptom: Unable to upgrade to SMS 2003 SP1 Advanced clients to SMS 2003 SP2 Advanced client.
Push install fails
Manual install fails

Installation process hangs – does not complete; does not end.


 

You can change the state to 23e00 which will change it so “Do revocation check.” Is off, and then perform the installation. This would be a temporary measure.
 
A friendlier method may be to use setreg from http://msdn.microsoft.com/library/default.asp?url=/workshop/security/authcode/signing.asp
 

SetReg


The SetReg utility is used to set the value of the registry keys controlling the behavior of the Authenticode certificate verification process. These keys are called the Software Publishing State Keys. When SetReg has completed the requested action, the current state of the Software Publishing State Keys is displayed.

 
 
EDIT:: one more –  if you have this set the “wrong” way – you will also get a failure trying to download new security 
updates from Windows Update web site.. you will see error: 0x80092026
 
spat
 
 
 
 
 

Comments (18)

  1. Thomas Bennett says:

    Thanks a million for this one.  I’ve been trying to resolve it for weeks!  I have a Windows 2003 DC that wouldn’t get updates and installing them manually was a pain.

  2. SpatDSG says:

    wow – cool , im glad to see it helped someone! Maybe this blog thing really works… ive been wondering if any of these tips mini KB’s help anyone. thx for the feedback!

  3. Richard says:

    Hi, i am getting this on a site and this is affecting all the DCs. Tried the flags (were set as recommended already) so not sure what else to try from here?

  4. SpatDSG says:

    You may also want to try some of the steps in http://support.microsoft.com/kb/822798

  5. I’ve been seeing this error for a while now  – not only on Windows Update but also because it prevents Windows Live Messenger from signing in… I must have visited dozens of sites which suggest the options noted in the KB article that SpatDSG posted earlier, but nothing worked except your solution. Great work!

  6. Richard Yawe says:

    After days of reading, fussing and cussing, this solved my problem. Thanx a million

  7. max424ever says:

    Wonderfull !!!

    Thank you

    m@x

  8. Tom in Tulsa says:

    Yet another salvation story! I grumbled about my MS installer failure problems for weeks until I happened to try and set up a secure website on this server and noticed the certificate error. That’s when I found this site and it fixed me right up. Thanks a bunch!

  9. SpatDSG says:

    Wow – thanks! 🙂 Yaknow the interesting thing about this post – is that I started the thing with saying "Kinda a one off odd one.. but I’ve seen it  more than once… so it gets a blog entry."  But there seem to be quite a few of these cases.. I wonder how the policy is being changed.

    odd.

  10. Lars Petter Hosøy says:

    Thanks – I had major problems starting Symantec Antivirus and accessing Windows Update. I knew it was a code signing problem, but I was unable to find how to cure it. To fix the problem I applied your solution, but instead of HKEY_CURRENT_USER I had to change the settings under HKEY_USERSS-1-5-18Software… to get the settings applied to LocalSystem.

    -LarsP

  11. ccraig@lt says:

    This may also comes into play if you enable the Trusted Publishers settings in W2K8Vista Certificate Path Validation Settings policy.

    Example:

    The setting "Allow only enterprise administrators to manage Trusted Publishers" will stop the Windows Defender service from starting.

    Log Name:      System

    Source:        Service Control Manager

    Date:          4/4/2008 1:07:10 PM

    Event ID:      7023

    Task Category: None

    Level:         Error

    Keywords:      Classic

    User:          N/A

    Computer:      DarkStar.ds1.ltcorp.tree

    Description: The Windows Defender service terminated with the following error: The cryptographic operation failed due to a local security option setting.

    Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"&gt;

     <System>

       <Provider Name="Service Control Manager" Guid="{555908D1-A6D7-4695-8E1E-26931D2012F4}" EventSourceName="Service Control Manager" />

       <EventID Qualifiers="49152">7023</EventID>

       <Version>0</Version>

       <Level>2</Level>

       <Task>0</Task>

       <Opcode>0</Opcode>

       <Keywords>0x80000000000000</Keywords>

       <TimeCreated SystemTime="2008-04-04T17:07:10.000Z" />

       <EventRecordID>12644</EventRecordID>

       <Correlation />

       <Execution ProcessID="0" ThreadID="0" />

       <Channel>System</Channel>

       <Computer>DarkStar.ds1.ltcorp.tree</Computer>

       <Security />

     </System>

     <EventData>

       <Data Name="param1">Windows Defender</Data>

       <Data Name="param2">%%2148081702</Data>

     </EventData>

    </Event>

  12. Simon says:

    Your solution works like a charm.  Once I change the state to 23c00 the install worked.

    So simple and quick compared to the microsoft solutions (which didn’t work).

    MANY MANY THANKS.

    Simon

  13. Ben Northway says:

    Thank you! I unwittingly activated Software Restriction Policies and this caused no small amount of head banging.

    Ben Northway

  14. Hello, I had to change it back to 63c00 to make my windows update work.

    http://msn-errors.blogspot.com/2007/02/fix-8004888d-error.html

  15. Serkan says:

    thanks soo much for this solution man , u really helped a lot  

  16. aleena says:

    I really love your write-ups guys continue the good work.

    <a href="http://www.best-5-home-security-companies.com/">adt security reviews</a>

  17. Flywolf says:

    This solved my Problems with WindowsUpdates, DirectX Update, Origin and GTA5.

    I nearly reistalled Windows because of this. But everything seems to be back to normal now. Thanks a lot!