Application log Event ID 513 from CAPi2

After the Active Directory Domain Services (AD DS) role is added to a Windows
Server 2008 server, running vssadmin list writers generates output that does
not include System Writer and generates Event ID 513 from CAPi2 in the
Application log. Text of this event: Cryptographic Services failed while
processing the OnIdentity() call in the System Writer Object.

Prior to adding the AD DS role, running vssadmin list writers generates
output that does include System Writer and does not generate Event ID 513.

Permissions on the Registration folder in the Windows folder (%windir%) are
as shown below. In all cases the permission are shown under Special
permissions, are <not inherited>, and apply to This folder and files
Everyone: List folder / read data, Read attributes, Read extended
attributes, and Read permissions
Administrators (DomainName\Administrators): Full Control
SYSTEM: Full control

I think this is a permissions issue. Event ID 513 is generated by the
Cryptographic Services service (CryptSvc), which runs under the Network
Service Account. I believe the Network Service Account runs with the
permissions of the Authenticated Users group. However, adding the
Authenticated Users group with Full control permissions to the Registration
folder doesn't eliminate the error.