Error "The specified network password is not correct." or "The requested key container was not found.": Difference between revisions

From OPC Labs Knowledge Base
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Category:Troubleshooting]]
[[Category:Troubleshooting]]
= Symptoms =
= Symptoms =
One of the following symptoms:
(1)
In a program written with QuickOPC, you receive an error with message text "The specified network password is not correct.", possibly followed by "+ The SDK action called was
In a program written with QuickOPC, you receive an error with message text "The specified network password is not correct.", possibly followed by "+ The SDK action called was
"ApplicationInstance.CheckApplicationInstanceCertificate"", and it is impossible to connect to any OPC UA server. It may be possible to circumvent the error by always running the program with elevated privileges (not just when it is creating the application certificate), but that is not a solution in many cases.
"ApplicationInstance.CheckApplicationInstanceCertificate"", and it is impossible to connect to any OPC UA server. It may be possible to circumvent the error by always running the program with elevated privileges (not just when it is creating the application certificate), but that is not a solution in many cases.
Line 8: Line 12:


In .NET, this error is the innermost .NET exception of type System.Security.Cryptography.CryptographicException, with HResult 0x80070056 (-2147024810). It is normally wrapped in a UAEngineException with message text like "UA SDK error (System.Security.Cryptography.CryptographicException) in 'ApplicationInstance.CheckApplicationInstanceCertificate'. The specified network password is not correct.".
In .NET, this error is the innermost .NET exception of type System.Security.Cryptography.CryptographicException, with HResult 0x80070056 (-2147024810). It is normally wrapped in a UAEngineException with message text like "UA SDK error (System.Security.Cryptography.CryptographicException) in 'ApplicationInstance.CheckApplicationInstanceCertificate'. The specified network password is not correct.".
(2)
In a program written with QuickOPC, you receive an error where the message text contains "The requested key container was not found.". The error text may be localized.
In .NET, this error is the wrapped in a UAEngineException with message text like "UA SDK error (System.Security.Cryptography.CryptographicException) in 'static Session.Create'. The requested key container was not found.".


= Cause =
= Cause =
QuickOPC uses OPC Foundation code for certificate operations (in this case, it is usually the creation of the application instance certificate for the client). The code makes temporary copies of PFX certificates with private keys in a key container, because all private keys used for cryptography operations must be in some key container. Write access to the container is therefore needed, but it is missing on the computer that manifests the error.
QuickOPC uses OPC Foundation code for certificate operations. In case (1), it is usually the creation of the application instance certificate for the client). The code makes temporary copies of PFX certificates with private keys in a key container, because all private keys used for cryptography operations must be in some key container. Write access to the container is therefore needed, but it is missing on the computer that manifests the error. In case (2), we have not yet precisely determined the reason for the need to access the key container.


= Resolution =
= Resolution =
Line 29: Line 39:


= More information =
= More information =
The recommended resolution may have security implications and it is up to you to assess their impact. QuickOPC, however, cannot work without the Write permission to the specified key container. The steps outlined in the solution give this permission to the Everyone group, because that is how it is set on "normal" Windows installations that we have observed. It might be possible to limit it to just the user(s) that are running the application.
The recommended resolution may have security implications and it is up to you to assess their impact. QuickOPC, however, cannot work without the Write permission to the specified key container. The steps outlined in the solution give this permission to the Everyone group, because that is how it is set on "normal" Windows installations that we have observed. It might be possible to limit it to just the user(s) that is/are running the application.


On most new Windows installations, the Write permission on the affected key container is already granted. Around some time in year 2019, we started getting reports from customers about "The specified network password is not correct." error on some computers. It has not been determined so far why the default settings on these computers are different.
On most new Windows installations, the Write permission on the affected key container is already granted. Around some time in year 2019, we started getting reports from customers about "The specified network password is not correct." error on some computers. It has not been determined so far why the default settings on these computers are different.


Internally, “Invalid provider type specified” CryptographicException normally precedes this error; however, this first exception is not directly propagated to the user code.
Internally, at least in case (1), “Invalid provider type specified” CryptographicException normally precedes this error; however, this first exception is not directly propagated to the user code.


= See also =
= See also =

Latest revision as of 11:58, 5 March 2023

Symptoms

One of the following symptoms:

(1)

In a program written with QuickOPC, you receive an error with message text "The specified network password is not correct.", possibly followed by "+ The SDK action called was "ApplicationInstance.CheckApplicationInstanceCertificate"", and it is impossible to connect to any OPC UA server. It may be possible to circumvent the error by always running the program with elevated privileges (not just when it is creating the application certificate), but that is not a solution in many cases.

The error text may be localized, for example:

German
Das angegebene Netzwerkkennwort ist falsch.

In .NET, this error is the innermost .NET exception of type System.Security.Cryptography.CryptographicException, with HResult 0x80070056 (-2147024810). It is normally wrapped in a UAEngineException with message text like "UA SDK error (System.Security.Cryptography.CryptographicException) in 'ApplicationInstance.CheckApplicationInstanceCertificate'. The specified network password is not correct.".

(2)

In a program written with QuickOPC, you receive an error where the message text contains "The requested key container was not found.". The error text may be localized.

In .NET, this error is the wrapped in a UAEngineException with message text like "UA SDK error (System.Security.Cryptography.CryptographicException) in 'static Session.Create'. The requested key container was not found.".

Cause

QuickOPC uses OPC Foundation code for certificate operations. In case (1), it is usually the creation of the application instance certificate for the client). The code makes temporary copies of PFX certificates with private keys in a key container, because all private keys used for cryptography operations must be in some key container. Write access to the container is therefore needed, but it is missing on the computer that manifests the error. In case (2), we have not yet precisely determined the reason for the need to access the key container.

Resolution

In order to resolve the issue, give Write permissions to the C:\ProgramData\Microsoft\Crypto\RSA folder.

Texts in parenthesis are for German Windows.

  1. In Windows File Explorer, navigate to C:\ProgramData\Microsoft\Crypto\RSA . Note: The ProgramData folder is hidden; your File Explorer needs to be set to show hidden files and folders.
  2. Right-click on the MachineKeys folder, and select the Properties (Eigenschaften) command.
  3. In the MachineKeys Properties (Eigenschaften von MachineKeys) dialog, switch to the Security (Sicherheit) tab.
  4. Press the Advanced (Erweitert) button.
  5. In the Advanced Security Settings for MachineKeys (Erweiterte Sicherheitseinstellungen für "MachineKeys") dialog, press the Change permissions (Berechtigungen ändern) button.
  6. Press the Disable inheritance (Vererbung deaktivieren) button, and confirm the default selection, which is to convert the inherited permissions into explicit permissions.
  7. Back in the Advanced Security Settings for MachineKeys (Erweiterte Sicherheitseinstellungen für "MachineKeys") dialog, select the row with permission entries for Everyone (Jeder), and press the Edit (Bearbeiten) button.
  8. In the Permission Entry for MachineKeys (Berechtigungseintrag für "MachineKeys") dialog, under the Basic permissions (Grundlegende Berechtigungen), enable the checkbox next to the Write (Schreiben) permission.
  9. Press OK to close the Permission Entry for MachineKeys (Berechtigungseintrag für "MachineKeys") dialog.
  10. Press OK to close the Advanced Security Settings for MachineKeys (Erweiterte Sicherheitseinstellungen für "MachineKeys") dialog.
  11. Press OK to close the MachineKeys Properties (Eigenschaften von MachineKeys) dialog.

More information

The recommended resolution may have security implications and it is up to you to assess their impact. QuickOPC, however, cannot work without the Write permission to the specified key container. The steps outlined in the solution give this permission to the Everyone group, because that is how it is set on "normal" Windows installations that we have observed. It might be possible to limit it to just the user(s) that is/are running the application.

On most new Windows installations, the Write permission on the affected key container is already granted. Around some time in year 2019, we started getting reports from customers about "The specified network password is not correct." error on some computers. It has not been determined so far why the default settings on these computers are different.

Internally, at least in case (1), “Invalid provider type specified” CryptographicException normally precedes this error; however, this first exception is not directly propagated to the user code.

See also

https://stackoverflow.com/questions/22581811/invalid-provider-type-specified-cryptographicexception-when-trying-to-load-pri

https://docs.microsoft.com/en-US/troubleshoot/windows-server/windows-security/default-permissions-machinekeys-folders