M
Magnus Persson
I'm not sure if this is the right group to post this question but I'll give
it a try anyway.
During installation of a client/server application our installation program
setups the cryptographic client to encrypt and store passwords in the
registry. To setup the crypto client the routine at the end of this e-mail
is called from the installation program (InstallShield). Most of the
routine, if not all, was copied from MSDN library).
Anyway, the routine fails at some of our customers even though the user
installing the program is a member of the administrator group. If THE
administrator logs on to the machine and run the installer it works. If some
of the other users (with administrator rights) log on it works for some of
them but not all of them. Why?
How can I configure an account to allow use of the cryptographic client in
Windows NT/2000/XP/2003?
Please help.
Magnus
--- routine that setup the crypto client ---
__declspec(dllexport) BOOL WINAPI SetupCryptoClient(void)
{
HCRYPTPROV hProv; // Handle for the cryptographic provider context.
HCRYPTKEY hKey; // Public/private key handle.
LPCSTR lpUserName = NULL; // Optionally enter the user's name here to be
used as the key container
// name (limited to 100 characters).
// Attempt to acquire a context with a default key container.
// To create a new key container, substitute a string for the
// NULL second parameter here and in the next call to
// CryptAcquireContext.
if (!CryptAcquireContext(&hProv, lpUserName, MS_DEF_PROV, PROV_RSA_FULL,
0))
{
// Some sort of error occurred in acquiring the context. Create a new
default key container.
if (!CryptAcquireContext(&hProv, lpUserName, MS_DEF_PROV, PROV_RSA_FULL,
CRYPT_NEWKEYSET))
{
// Could not create a new key container.
return FALSE;
}
}
// A context with a key container is available,
// Attempt to get the handle to key exchange key.
if (!CryptGetUserKey(hProv, AT_SIGNATURE, &hKey))
{
// No signature key is available.
if (GetLastError() == NTE_NO_KEY)
{
// The error was that there is a container but no key.
// Create a signature key pair.
if (!CryptGenKey(hProv, AT_SIGNATURE, 0, &hKey))
{
// Error occurred creating a signature key.
return FALSE;
}
}
else
{
// An error other than NTE_NO_KEY getting signature key.
return FALSE;
}
}
// A signature key pair existed, or one was created.
CryptDestroyKey(hKey);
// Next, check the exchange key.
if (!CryptGetUserKey(hProv, AT_KEYEXCHANGE, &hKey))
{
// No exchange key is available. Check to see if one needs to be created.
if (GetLastError() == NTE_NO_KEY)
{
// Create an key exchange key pair.
if (!CryptGenKey(hProv, AT_KEYEXCHANGE, 0, &hKey))
{
// Error occurred attempting to create an exchange key.
return FALSE;
}
}
else
{
// An error other than NTE_NO_KEY occurred.
return FALSE;
}
}
CryptDestroyKey(hKey);
CryptReleaseContext(hProv,0);
return TRUE;
}
it a try anyway.
During installation of a client/server application our installation program
setups the cryptographic client to encrypt and store passwords in the
registry. To setup the crypto client the routine at the end of this e-mail
is called from the installation program (InstallShield). Most of the
routine, if not all, was copied from MSDN library).
Anyway, the routine fails at some of our customers even though the user
installing the program is a member of the administrator group. If THE
administrator logs on to the machine and run the installer it works. If some
of the other users (with administrator rights) log on it works for some of
them but not all of them. Why?
How can I configure an account to allow use of the cryptographic client in
Windows NT/2000/XP/2003?
Please help.
Magnus
--- routine that setup the crypto client ---
__declspec(dllexport) BOOL WINAPI SetupCryptoClient(void)
{
HCRYPTPROV hProv; // Handle for the cryptographic provider context.
HCRYPTKEY hKey; // Public/private key handle.
LPCSTR lpUserName = NULL; // Optionally enter the user's name here to be
used as the key container
// name (limited to 100 characters).
// Attempt to acquire a context with a default key container.
// To create a new key container, substitute a string for the
// NULL second parameter here and in the next call to
// CryptAcquireContext.
if (!CryptAcquireContext(&hProv, lpUserName, MS_DEF_PROV, PROV_RSA_FULL,
0))
{
// Some sort of error occurred in acquiring the context. Create a new
default key container.
if (!CryptAcquireContext(&hProv, lpUserName, MS_DEF_PROV, PROV_RSA_FULL,
CRYPT_NEWKEYSET))
{
// Could not create a new key container.
return FALSE;
}
}
// A context with a key container is available,
// Attempt to get the handle to key exchange key.
if (!CryptGetUserKey(hProv, AT_SIGNATURE, &hKey))
{
// No signature key is available.
if (GetLastError() == NTE_NO_KEY)
{
// The error was that there is a container but no key.
// Create a signature key pair.
if (!CryptGenKey(hProv, AT_SIGNATURE, 0, &hKey))
{
// Error occurred creating a signature key.
return FALSE;
}
}
else
{
// An error other than NTE_NO_KEY getting signature key.
return FALSE;
}
}
// A signature key pair existed, or one was created.
CryptDestroyKey(hKey);
// Next, check the exchange key.
if (!CryptGetUserKey(hProv, AT_KEYEXCHANGE, &hKey))
{
// No exchange key is available. Check to see if one needs to be created.
if (GetLastError() == NTE_NO_KEY)
{
// Create an key exchange key pair.
if (!CryptGenKey(hProv, AT_KEYEXCHANGE, 0, &hKey))
{
// Error occurred attempting to create an exchange key.
return FALSE;
}
}
else
{
// An error other than NTE_NO_KEY occurred.
return FALSE;
}
}
CryptDestroyKey(hKey);
CryptReleaseContext(hProv,0);
return TRUE;
}