Tuesday, September 30, 2014

Error obtaining generating internal key store for PROV_RSA_FULL

In this case, a friend of mine was complaining that from some reason he was unable to sign documents on web site which requires to proof his identity with certificates stored on token. The client operating system was Windows 8. Instead of a popup for token pin, there was an error message (WinCAPICryptoProvider() - Error obtaining generating internal key store for PROV_RSA_FULL):

I was suspecting that something was wrong with user's certificate. Certmgr.msc and personal folder was showing his certificates, and all of them were having the private key. Since all of the certificates were stored on a token, I have deleted all the certificates from the personal certificates store. After reinserting the usb token, certificate propagation service has successfully copied certificates from the token into user's certificate personal store. I was hoping that the problem has been successfully solved, but the same message from internet explorer has popped out, and he was unable to sign the documents.
Next, I have checked the activex component. The web site for signing documents was using ActiveX component, and that component was installed and was not disabled in internet explorer. The web site was located in trusted site zone.
Now, before creating new user profile, and migrating all the documents and settings from the old to the new profile, I have decided to check the crypto folder. The location of this folder is in following path C:\Users\Username\AppData\Roaming\Microsoft\Crypto\RSA\User's SID. First, I have backed up User's SID folder, and after that deleted the folder from C:\Users\Username\AppData\Roaming\Microsoft\Crypto\RSA location.
And finally, when he accessed the web site to sign the documents there was a popup to enter the PIN from the token, and he was able to sign the documents. The case was successfully closed.

Wednesday, September 10, 2014

TMG with HTTPS Inspection enabled fails with 0x8009000a

In this case, if you're still using TMG 2010 as proxy server with HTTPS Inspection option enabled, users may experience blank page when accessing https web sites with CNG certificates (for example: coursera, booking, sendspace, dropbox, twitter ...) . The reason for this behavior is that default self signed certificate (or the certificate issued by CA) which is used by the TMG for HTTPS inspection feature is not compatible with suite B certificates. For more info about the CNG certificates please check http://technet.microsoft.com/en-us/library/cc730763(v=ws.10).aspx .

You can check TMG logs to see if you're experiencing this behavior by creating filter (for example: looking for http status code 0x8009000a in last hour ) :

To avoid this behavior change the certificate used by TMG HTTPS Inspection with CNG certificate (self signed or issued by CA). This certificate must be trusted by clients. For more info about this behavior and a script for creating self signed CNG certificate please check: http://blogs.technet.com/b/isablog/archive/2014/05/28/tmg-https-inspection-is-failing-if-the-target-web-site-is-using-a-cng-certificate.aspx .