Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Login Issue and Mandatory Profiles

Posted by William Diaz on October 4, 2013


An interesting little quickie. After moving to mandatory profiles in a Citrix environment, a particular ActiveX web application would no longer allow logins. There was no error message of any kind and it continued to work in another Citrix environment without mandatory profiles. I fired up Process Monitor and ran a little trace of Internet Explorer to capture everything that happened after I clicked login. Nothing interesting really stood out but there might be some hope in an activity log activity I saw occurring with the application:

SNAGHTMLab68c01

Opening the log showed:

[W]    2013/10/03 22:46:00 PM                fyiCryptAcquireContext(): CryptAcquireContext() failure while trying to acquire the crypto context/container (GetLastError() -2146893788, (The profile for the user is a temporary profile.)) Thu Oct 03 22:46:00 2013
[I]    2013/10/03 22:46:00 PM                fyiCryptAcquireContext(): CryptAcquireContext() failed while initializing the crypto context (GetLastError()=-2146893788 (The profile for the user is a temporary profile.)), I will try and re/generate a brand new container Thu Oct 03 22:46:00 2013
[E]    2013/10/03 22:46:00 PM                fyiCryptAcquireContext(): CryptAcquireContext() failure, can’t acquire, nor create a new container (2) (GetLastError() -2146893788, (The profile for the user is a temporary profile.)) Thu Oct 03 22:46:00 2013

 

Some quick research pointed me to RSACryptoServiceProvider fails when used with mandatory profiles. In short:

RSACryptoServiceProvider calls CryptAcquireContext API (http://msdn2.microsoft.com/en-us/library/aa379886.aspx) behind the scenes to get a handle to a key container within a CSP (Cryptographic Service Provider). CryptAcquireContext will fail with NTE_TEMPORARY_PROFILE error when called from a mandatory profile.

Mandatory profiles are read-only user profiles. Since changes to the mandatory profile cannot be saved, PKI design doesn’t allow this operation, and CryptAcquireContext prevents this scenario by failing.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: