none
user-store DPAPI in a domain?

    Question

  • Is it possible for the same domain user account, to encrypt/decrypt user-store DPAPI (Data Protection application programming interface ) data on different workstations?

    I've got a C# application which uses user-store data protection to encrypt/decrypt data, which then gets stored in SQL. If the same user logs onto another workstation with their credentials and tries to access their encrypted data, DPAPI errors out with:

    System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.

    at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
    <snip>
    Regardless of using C# or C++ pinvoke of the same API call, the error is the same. It's not a user permission issue as the same thing occurs when using a domain administrator account. Reading over how DPAPI functions, I thought that the MasterKey was stored in domain, which is then retrieved and used by the logged on user account. Appears either I'm missing some code or DPAPI data is only accessible on the machine it was created on.

    Anyone have experience with this?
    Thursday, February 25, 2010 6:03 AM

All replies

  • Hi,

    7 - GDocBackup crashes with the error "Key not valid for use in specified state" (Windows)
    The error is:
    System.Security.Cryptography.CryptographicException: Key not valid for use in specified state
    at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
    ...
    The error is caused by Windows Data Protection API (DPAPI). GDocBackup uses DPAPI to securelly store sensitive data.
    If an administrator of your Windows system reset your user password, DPAPI is no longer able to decrypt saved data. So the error.
    This behaviour of DPAPI is by design. From MS TechNet: (http://technet.microsoft.com/en-us/library/bb457065.aspx)
    The most common issue with Windows XP occurs when a local user on a workgroup computer has their password reset by a local administrator. When a local password reset occurs, the DPAPI master key is lost, and the user will no longer be able to access their private keys associated with encrypted files. This behavior is designed as a security feature against offline attacks and does not apply to domain joined machines with domain based user accounts.
    The TechNet article is quite old. The behaviour is the same also on Windows Vista and Seven.
    --> A new version of GDocBackup will give a workaround for this issue. <---


    ref: http://gs.fhtino.it/gdocbackup/faq


    Thanks
    Binze

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by Bin-ze Zhao Thursday, March 04, 2010 1:41 AM
    • Unmarked as answer by BSOD2600 Saturday, March 06, 2010 9:18 AM
    Tuesday, March 02, 2010 8:04 AM
  • 1) GDocBackup is not the problem here. I'm not using that software at all.

    2) The user's domain password is NOT being reset at all either.

    This has not resolved the issue.
    Saturday, March 06, 2010 9:18 AM