Aussie owned and operated, with 23+ years of industry experience, Gold Coast InfoTech is delighted to support all of your business technology requirements.

Gallery

Contacts

success@goldcoastinfotech.com.au

1800 291 071

Facebook-f Twitter Linkedin Youtube

Single Blog

KBArticles Uncategorized
_ _ Customer_ 0 Comments

Cryptographic service provider is not installed on your computer

Server: Windows 2008 and mandatory user profiles.

Error: An Internal error occured. Either the user profile is not accessible or the private key that you are importing might require cryptographic service provider that is not installed on your system.

Solution: Mandatory profiles do NOT allow the import of user certificates – users must be roaming or local.

Workaround 1: When using mandatory profiles certificates cannot be imported. Change the user account to local or roaming or investigate flex profiles or appsense personalisation server

Workaround 2: run the following script at logon to ‘trick’ the operating system into making the user ‘roaming’ even though their profile is mandatory.

A) you MUST set user permissions to “Set Value” and “delete” on HKLMSoftwareMicrosoftWindows NTCurrentversionProfilelist” for “Authenticate Users”

B) run a logon script (LOGON SCRIPT PROVIDED BELOW) to set the value of the profile ‘state’ from mandatory to roaming – to allow the OS to install certificates for the user, and then HIVE / save these off during log off

Added 19/10/2011
C) set the user profile BACK to mandatory as a state of 4 left the operating system to detect the profile as LOCAL, keeping the settings and preventing other things working on a subsequent logon. (LOGOFF SCRIPT PROVIDED BELOW)

The standard jargon / disclaimer applies:This code and information is provided as is without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. Basically its your responsibilty to BACKUP then TEST TEST TEST before trying this LIVE.

 
References:
http://support.microsoft.com/kb/264732
http://www.brianmadden.com/forums/t/30903.aspx
***********************START LOGON SCRIPT**************************


*****************************************************************************
Option Explicit
Dim strUserSid, oShell, oWMI, colItems, oItem, strState, oWMIReg, i, intLen
Dim oWshNetwork
Const HKLM = &H80000002
‘ *****************************************************************************
‘ Gets the username of the logged on user.
Set oShell = WScript.CreateObject(“WScript.Shell”)
Set oWshNetwork = CreateObject(“WScript.Network”)
‘ This section uses WMI to get the users sid.
Set oWMI = GetObject(“winmgmts:\.rootCIMV2”) _
.Get(“Win32_UserAccount.Domain='” & oWshNetwork.UserDomain & “‘” _
& “,Name='” & oWshNetwork.UserName & “‘”)
strUserSid = oWMI.SID
‘ *****************************************************************************
‘ *****************************************************************************
‘ This section gets the decimal value of the State DWORD Value.
Set oWMIReg = GetObject(“winmgmts:\.rootdefault:StdRegProv”)
oWMIReg.GetDWORDValue HKLM, “SoftwareMicrosoftWindows NTCurrentversionProfilelist” & strUserSid, “State”, strState
‘Calls DecToBin Function to convert the decimal value to a binary value.
strStat
e = DecToBin(strState)
‘ Checks if the last bit is not equal to 0
If Right(strState, 1) <> 0 Then
‘ This changes the last bit to 0. Mandatory profiles are spoofed to roaming.
intLen = Len(strState)-1
strState = Left(strState,intLen)
strState = strState & 0

‘Calls DecToBin Function to convert the decimal value to a binary value
strState = BinToDec(strState)
 
‘ This writes the new State DWORD Value.
oWMIReg.SetDWORDValue HKLM, “SoftwareMicrosoftWindows NTCurrentversionProfilelist” & strUserSid, “State”, strState
End If
WScript.Quit
‘End of VBScript
‘ *******************************************************************
‘ *******************************************************************
‘This function converts a decimal value to a string containing a binary respresentation of the value. It is limited to a maximum value of 65536 (1111 1111 1111 1111 in binary).
Function DecToBin(intDec)
Dim strResult
Dim intValue
Dim intExp
‘ This section backs up the origional state DWORD Value.
oWMIReg.SetDWORDValue HKLM, “SoftwareMicrosoftWindows NTCurrentversionProfilelist” & strUserSid, “OldState”, intDec
strResult = “”
intValue = intDEC
intExp = 65536
while intExp >= 1
if intValue >= intExp then
intValue = intValue – intExp
strResult = strResult & “1”
else
strResult = strResult & “0”
end if
intExp = intExp / 2
wend
DecToBin = strResult
End Function
‘********************************************************************
‘********************************************************************
‘ This function converts a binary value represented by a string of ones and zeros into a decimal value.
Function BinToDec(strBin)
Dim lngResult
Dim intIndex
Dim strDigit
lngResult = 0
for intIndex = len(strBin) to 1 step -1
strDigit = mid(strBin, intIndex, 1)
select case strDigit
case “0”
‘ do nothing
case “1”
lngResult = lngResult + (2 ^ (len(strBin)-intIndex))
case else
‘ invalid binary digit, so the whole thing is invalid
lngResult = 0
intIndex = 0 ‘ stop the loop
end select
next
BinToDec = lngResult
End Function
‘********************************************************************
‘********************************************************************

***********************END LOGON SCRIPT**************************
***********************START LOGOFF SCRIPT**************************
‘This Script should ONLY run for the users that have had the Mandatory > Roaming spoofing script run already – otherwise it will run for every user and set ALL users profile state
‘ to 5 (mandatory) and delete their settings – including local accounts and profiles
Option Explicit
Dim strUserSid, oShell, oWMI, colItems, oItem, strState, oWMIReg, i, intLen
Dim oWshNetwork, WshShell, strKeyPath, StrVlaueName
Const HKLM = &H80000002
‘ *****************************************************************************
‘ Gets the username of the logged on user.
Set oShell = WScript.CreateObject(“WScript.Shell”)
Set oWshNetwork = CreateObject(“WScript.Network”)
‘ This section uses WMI to get the users sid.
Set oWMI = GetObject(“winmgmts:\.rootCIMV2”) _
.Get(“Win32_UserAccount.Domain='” & oWshNetwork.UserDomain & “‘” _
& “,Name='” & oWshNetwork.UserName & “‘”)
strUserSid = oWMI.SID
‘ This section change the users stage regisytr DWORD value key to 5. This is dangerous for any users other than mandatory users so should ONLY be used for mandatory profile users.
‘ Hence it usually ties in with AP-XA-Certificates-G
Set oWMIReg = GetObject(“winmgmts:\.rootdefault:StdRegProv”)
Set WshShell = WScript.CreateObject(“WScript.Shell”)
WshShell.RegWrite “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileList” & strUserSid & “State”,”5″,”REG_DWORD”
‘Wscript.echo “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileList” & strUserSid & “State”,”5″,”REG_DWORD”

***********************END LOGOFF SCRIPT**************************

 
22

Author

Customer

Leave a comment

Your email address will not be published. Required fields are marked *