Error "The specified network password is not correct."
In a program written with QuickOPC, you receive an error with message text "The specified network password is not correct.", possibly followed by "+ The SDK action called was "ApplicationInstance.CheckApplicationInstanceCertificate"", and it is impossible to connect to any OPC UA server. It may be possible to circumvent the error by always running the program with elevated privileges (not just when it is creating the application certificate), but that is not a solution in many cases.
The error text may be localized, for example:
- Das angegebene Netzwerkkennwort ist falsch.
In .NET, this error is the innermost .NET exception of type System.Security.Cryptography.CryptographicException, with HResult 0x80070056 (-2147024810). It is normally wrapped in a UAEngineException with message text like "UA SDK error (System.Security.Cryptography.CryptographicException) in 'ApplicationInstance.CheckApplicationInstanceCertificate'. The specified network password is not correct.".
QuickOPC uses OPC Foundation code for certificate operations (in this case, it is usually the creation of the application instance certificate for the client). The code makes temporary copies of PFX certificates with private keys in a key container, because all private keys used for cryptography operations must be in some key container. Write access to the container is therefore needed, but it is missing on the computer that manifests the error.
In order to resolve the issue, give Write permissions to the
Texts in parenthesis are for German Windows.
- In Windows File Explorer, navigate to
C:\ProgramData\Microsoft\Crypto\RSA. Note: The
ProgramDatafolder is hidden; your File Explorer needs to be set to show hidden files and folders.
- Right-click on the MachineKeys folder, and select the Properties (Eigenschaften) command.
- In the MachineKeys Properties (Eigenschaften von MachineKeys) dialog, switch to the Security (Sicherheit) tab.
- Press the ( ) button.
- In the Advanced Security Settings for MachineKeys (Erweiterte Sicherheitseinstellungen für "MachineKeys") dialog, press the ( ) button.
- Press the ( ) button, and confirm the default selection, which is to convert the inherited permissions into explicit permissions.
- Back in the Advanced Security Settings for MachineKeys (Erweiterte Sicherheitseinstellungen für "MachineKeys") dialog, select the row with permission entries for Everyone (Jeder), and press the ( ) button.
- In the Permission Entry for MachineKeys (Berechtigungseintrag für "MachineKeys") dialog, under the Basic permissions (Grundlegende Berechtigungen), enable the checkbox next to the Write (Schreiben) permission.
- Press Permission Entry for MachineKeys (Berechtigungseintrag für "MachineKeys") dialog. to close the
- Press Advanced Security Settings for MachineKeys (Erweiterte Sicherheitseinstellungen für "MachineKeys") dialog. to close the
- Press MachineKeys Properties (Eigenschaften von MachineKeys) dialog. to close the
The recommended resolution may have security implications and it is up to you to assess their impact. QuickOPC, however, cannot work without the Write permission to the specified key container. The steps outlined in the solution give this permission to the Everyone group, because that is how it is set on "normal" Windows installations that we have observed. It might be possible to limit it to just the user(s) that is/are running the application.
On most new Windows installations, the Write permission on the affected key container is already granted. Around some time in year 2019, we started getting reports from customers about "The specified network password is not correct." error on some computers. It has not been determined so far why the default settings on these computers are different.
Internally, “Invalid provider type specified” CryptographicException normally precedes this error; however, this first exception is not directly propagated to the user code.