CryptAcquireContext failed. This CSP cannot be opened in silent mo

Discussion in 'Server Networking' started by BrianFlynn, Nov 16, 2008.

  1. BrianFlynn

    BrianFlynn Guest

    I have an SBS 2003 & a Win 2003 Std box that always maintained a persistent
    PPTP VPN tunnel using EAP-TLS certificate based authentication. Recently my
    root certificate expired and ever since, my Win 2003 Std box hasn't been able
    to connect. I've renewed the root certificate on the SBS 2003 & requested a
    new client cert for the Windows 2003 Std box but it didn't help.

    When I try to initiate a VPN tunnel from Routing and Remote Access from the
    Win 2003 Std box, I first get a dialogue box that says "The interface is
    disconnected" then I get one that says "The following error occurred: The
    interface credentials have not been set". I have set the credentials to be
    the new certificate but it doesn't help.

    In the RASTLSUI.LOG on the Win 2003 Std box, the error I see that seems
    potentially the most useful is "CryptAcquireContext failed. This CSP cannot
    be opened in silent mode. skipping cert.Err: 0x80090016" however I can't
    find anything when searching with that.
     
    BrianFlynn, Nov 16, 2008
    #1
    1. Advertisements

  2. BrianFlynn

    BrianFlynn Guest

    I believe I've solved my issue. Here's what I learned. For whatever reason,
    I suspect a while back when I did a swing migration to move my SBS to new
    hardware, the new setup did not allow me to duplicate & publish a certificate
    template which is required in order to set the router (offline request) to be
    exportable when you get it via the certsrv site. I also found that the
    checkbox to store it in the machine store just doesn't work (posts online
    about that and I saw for myself). I found this documentation on using the
    command line certreq.exe
    (http://technet.microsoft.com/en-us/library/cc736326.aspx) and after
    isolating myself from all interuptions, I was able to get it to work. It
    enabled me to use the built in Router (Offline Request) template and make it
    exportable. Interestingly, though I could set it to install it directly to
    the machine store, that did not work. The key did show as having a private
    key, however RRAS would not use it. I then set it to install to the user
    store and be exportable, exported it from the user store then into the
    machine store and voila! RRAS would now use this cert. Here's how I did it :

    I created a file called router.inf. It's contents looked like this :


    -----------------------------------
    [NewRequest]
    Exportable = TRUE
    KeyLength=1024
    KeySpec = 2
    KeyUsage = 0xa0
    MachineKeySet = FALSE
    Requestername = DOMAIN\VpnUserName
    Subject = "CN=VpnUserName"

    [EnhancedKeyUsageExtension]
    OID = 1.3.6.1.5.5.7.3.2

    [RequestAttributes]
    CertificateTemplate = "OfflineRouter"
    -------------------------------------

    I then walked through 3 commands at a command prompt :

    certreq -new router.inf router.req
    certreq -submit router.req
    certreq -accept router.cer

    I then exported the key it installed in the user store, including the
    private key and imported it to the machine store.
     
    BrianFlynn, Nov 26, 2008
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.