Tuesday, September 30, 2014

Error obtaining generating internal key store for PROV_RSA_FULL

In this case, a friend of mine was complaining that from some reason he was unable to sign documents on web site which requires to proof his identity with certificates stored on token. The client operating system was Windows 8. Instead of a popup for token pin, there was an error message (WinCAPICryptoProvider() - Error obtaining generating internal key store for PROV_RSA_FULL):

I was suspecting that something was wrong with user's certificate. Certmgr.msc and personal folder was showing his certificates, and all of them were having the private key. Since all of the certificates were stored on a token, I have deleted all the certificates from the personal certificates store. After reinserting the usb token, certificate propagation service has successfully copied certificates from the token into user's certificate personal store. I was hoping that the problem has been successfully solved, but the same message from internet explorer has popped out, and he was unable to sign the documents.
Next, I have checked the activex component. The web site for signing documents was using ActiveX component, and that component was installed and was not disabled in internet explorer. The web site was located in trusted site zone.
Now, before creating new user profile, and migrating all the documents and settings from the old to the new profile, I have decided to check the crypto folder. The location of this folder is in following path C:\Users\Username\AppData\Roaming\Microsoft\Crypto\RSA\User's SID. First, I have backed up User's SID folder, and after that deleted the folder from C:\Users\Username\AppData\Roaming\Microsoft\Crypto\RSA location.
And finally, when he accessed the web site to sign the documents there was a popup to enter the PIN from the token, and he was able to sign the documents. The case was successfully closed.

No comments:

Post a Comment