"The cryptographic operation failed due to a local security option setting"...Indeed.

Kinda a one off odd one.. but I’ve seen it more than once… so it gets a blog entry.

Failure to install any items digitally signed.

 

My most recent experience was with a chap who was getting this error and failed to install MDAC update. His environment: Windows 2000 Server in an NT4 domain. ( not that the domain etc.. matters much for this to occur )

 

 

Here was the mdac update failure:

Run MDAC_TYP.EXE and you see a popup.

After this you see another error.

---------------------------

Advanced INF Installer

---------------------------

INF Install failure. Reason: The cryptographic operation failed due to a local security option setting.

Additionally – if you look in the local certificate store. MMC -> add certificates snapin for local machine.

Any attempt to view any cert in the Trusted Root store you will see the failure below:

  “The cryptographic operation failed due to a local security option setting”

 

What is going on here?? ( yes Joe.. I am an actor... )

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

State: 63c00

Here we see the defined flags:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/wintrustsetregpolicyflags.asp

Value

Meaning

WTPF_TRUSTTEST

Trust any test certificate.

WTPF_TESTCANBEVALID

Check any test certificate for validity.

WTPF_IGNOREEXPIRATION

Use expiration date.

WTPF_IGNOREREVOKATION

Do revocation check.

WTPF_OFFLINEOK_IND

If the source is offline, trust any individual certificates.

WTPF_OFFLINEOK_COM

If the source is offline, trust any commercial certificates.

WTPF_OFFLINEOKNBU_IND

If the source is offline, trust any individual certificates. Do not use the user interface (UI).

WTPF_OFFLINEOKNBU_COM

If the source is offline, trust any commercial certificates. Do not use the checking UI.

WTPF_VERIFY_V1_OFF

Turn off verification of version 1.0 certificates.

WTPF_IGNOREREVOCATIONONTS

Ignore time stamp revocation checks.

WTPF_ALLOWONLYPERTRUST

Allow only items in personal trust database.

"C:\Program Files\Microsoft Visual Studio 8\VC\PlatformSDK\Include\WinTrust.h

The ones related to this blog are in bold below:

#define WTPF_TRUSTTEST 0x00000020 // trust any "TEST" certificate

#define WTPF_TESTCANBEVALID 0x00000080

#define WTPF_IGNOREEXPIRATION 0x00000100 // Use expiration date

#define WTPF_IGNOREREVOKATION 0x00000200 // Do revocation check

#define WTPF_OFFLINEOK_IND 0x00000400 // off-line is ok individual certs

#define WTPF_OFFLINEOK_COM 0x00000800 // off-line is ok commercial certs

#define WTPF_OFFLINEOKNBU_IND 0x00001000 // off-line is ok individual certs, no bad ui

#define WTPF_OFFLINEOKNBU_COM 0x00002000 // off-line is ok commercial certs, no bad ui

#define WTPF_VERIFY_V1_OFF 0x00010000 // turn verify of v1 certs off

#define WTPF_IGNOREREVOCATIONONTS 0x00020000 // ignore TimeStamp revocation checks

#define WTPF_ALLOWONLYPERTRUST 0x00040000 // allow only items in personal trust db.

So when it has the 0x00040000 flag set – it will only allow items in the trusted publisher store.

Most folks will find that their trusted publisher store is empty.

 

You can add the required trusted root cert to the trusted publisher store – or simply change the flags to State: 23c00

 

How would your flags be set to such a value? If you are using software restricion policies ( SAFER ) and have configured Trusted Publisher settings perhaps?

 

 

 

Another time it may be handy to edit these trusted publisher flags – is if you have a proxy\firewall which requires machine authentication and something is installing in the machine context.

Like:

 Symptom: Unable to upgrade to SMS 2003 SP1 Advanced clients to SMS 2003 SP2 Advanced client. 
 Push install fails
 Manual install fails

Installation process hangs - does not complete; does not end.

 You can change the state to 23e00 which will change it so “Do revocation check.” Is off, and then perform the installation. This would be a temporary measure.
  
 A friendlier method may be to use setreg from http://msdn.microsoft.com/library/default.asp?url=/workshop/security/authcode/signing.asp
  

SetReg

The SetReg utility is used to set the value of the registry keys controlling the behavior of the Authenticode certificate verification process. These keys are called the Software Publishing State Keys. When SetReg has completed the requested action, the current state of the Software Publishing State Keys is displayed.

  
  
 EDIT:: one more -  if you have this set the "wrong" way - you will also get a failure trying to download new security 
 updates from Windows Update web site.. you will see error: 0x80092026
  
 spat