none
"Access Denied" on envelopedcms.decrypt RRS feed

  • Question

  • Hi,

    I'm using the following code to decrypt an envelopedcms file:

    Dim envelopedCms As New EnvelopedCms()
    envelopedCms.Decode(System.IO.File.ReadAllBytes("c:\file.dat"))
    Dim certCollection As New X509Certificate2Collection
    certCollection.Add(New X509Certificate2("c:\privatekey.pfx", "{password}"))
    envelopedCms.Decrypt(certCollection)

    This works fine on Windows7 and Windows 2008R2 but I get an "access denied" on Windows 10 and Windows Server 2012R2

    After this there is also an "audit failure" in the security eventlog:

    Provider name: Microsoft Software Key Storage Provider
    Algorithm name: RSA
    Key type: user key
    Cryptographic operation: decrypt

    I have tried to import the key using certutil and set the AT_KEYEXCHANGE flag but that results in the following error:

    Alg=2400 ==> a400
    CertUtil: -importPFX command FAILED: 0x80090005 (-2146893819 NTE_BAD_DATA)
    CertUtil: Bad Data.

    Anybody has any idea what the problem could be?

    The private key uses RSA and the file is encrypted using AES256

    Any help is appreciated because I can't find a reason/solution anywhere.

    Thanks!





    Wednesday, March 28, 2018 9:16 AM

All replies

  • The user account the program is running under, using, doesn't have the rights to access the resource.
    Wednesday, March 28, 2018 12:20 PM
  • I'm sure that is not the problem. It doesn't matter which account runs the program...even "Administrator" gives the same result.

    It seems Windows10/2012R2 somehow blocks this kind of action (decrypt)...depending on the type of decryption going on. When the same program decrypts another file using a different private key this works and there is no error.

    ...for now I have fixed this by using Bouncy Castle to do the decrypting....because it seems impossible to find a good answer why this is happening let alone a solution.

    Wednesday, March 28, 2018 12:38 PM
  • Do you have a full trace of the exception to post?

    Paul ~~~~ Microsoft MVP (Visual Basic)

    Wednesday, March 28, 2018 2:31 PM
  • ...the normal ex.message simple says: "Access Denied"

    What other exception info do you mean?

    ex.stacktrace doesn't say much more then:

    System.Security.Cryptography.Pkcs.EnvelopedCms.DecryptContent(RecipientInfoCollection recipientInfos, X509Certificate2Collection extraStore)

    Wednesday, March 28, 2018 2:46 PM
  • Hi Paul,

    yes, I have seen this post and it doesn't provide a solution for me.

    adding the KeyContainerPermission flags doesn't change anything and I also can't set the AT_KEYEXCHANGE flag when importing the pfx file:

    certutil -user -importpfx privatekey.pfx AT_KEYEXCHANGE

    gives:

    Alg=2400 ==> a400
    CertUtil: -importPFX command FAILED: 0x80090005 (-2146893819 NTE_BAD_DATA)
    CertUtil: Bad Data.

    Wednesday, March 28, 2018 3:09 PM
  • I'm sure that is not the problem. It doesn't matter which account runs the program...even "Administrator" gives the same result.

    Yeah it does matter, because at the desktop any program running is only running with Standard user rights, until UAC escalation to Admin rights, even if running with an admin account. You are not running with admin rights, only standard user rights.

    You are not running on XP or Win 2k3 server where admin account had full admin rights at all times.

    There is only one account on Win 10 that has admin rights at all times, and it's not the one that Win 1o gave you. I suspect the same holds true for Win 2k12, if UAC is enabled.

    https://www.ghacks.net/2014/11/12/how-to-enable-the-hidden-windows-10-administrator-account/

    UAC must not be enabled on the other O/S(s) you are talking about.

    Wednesday, March 28, 2018 3:38 PM
  • I'm sure that is not the problem. It doesn't matter which account runs the program...even "Administrator" gives the same result.

    Yeah it does matter, because at the desktop any program running is only running with Standard user rights, until UAC escalation to Admin rights, even if running with an admin account. You are not running with admin rights, only standard user rights.

    You are not running on XP or Win 2k3 server where admin account had full admin rights at all times.

    There is only one account on Win 10 that has admin rights at all times, and it's not the one that Win 1o gave you. I suspect the same holds true for Win 2k12, if UAC is enabled.

    https://www.ghacks.net/2014/11/12/how-to-enable-the-hidden-windows-10-administrator-account/

    UAC must not be enabled on the other O/S(s) you are talking about.

    I'm not sure what you mean, but I have already enabled the "administrator" account and used it and this gives the same result.... also "run as administrator" gives the error. 

    Also it would seem very strange if I would need to disable UAC just to be able to decrypt a file....but I will give that a go... 

    Thursday, March 29, 2018 5:51 AM
  • How about this one?

    https://social.technet.microsoft.com/Forums/windows/en-US/61d8ff98-c71a-40e4-b030-afe70edf1d2e/key-archival-again?forum=winserversecurity


    Paul ~~~~ Microsoft MVP (Visual Basic)

    yes, I have read this article also.... didn't help. also the registry key that is spoken of doesn't exist on my servers... 
    Thursday, March 29, 2018 5:54 AM
  • What I also can't understand is that I can't find any relevant information about the audit failure eventlog entry about the failed "decrypt" operation..... even the windows help button in the eventlog entry itself goes to a page that doesn't exit... 

    Thursday, March 29, 2018 5:58 AM
  • I'm sure that is not the problem. It doesn't matter which account runs the program...even "Administrator" gives the same result.

    Yeah it does matter, because at the desktop any program running is only running with Standard user rights, until UAC escalation to Admin rights, even if running with an admin account. You are not running with admin rights, only standard user rights.

    You are not running on XP or Win 2k3 server where admin account had full admin rights at all times.

    There is only one account on Win 10 that has admin rights at all times, and it's not the one that Win 1o gave you. I suspect the same holds true for Win 2k12, if UAC is enabled.

    https://www.ghacks.net/2014/11/12/how-to-enable-the-hidden-windows-10-administrator-account/

    UAC must not be enabled on the other O/S(s) you are talking about.

    I'm not sure what you mean, but I have already enabled the "administrator" account and used it and this gives the same result.... also "run as administrator" gives the error. 

    Also it would seem very strange if I would need to disable UAC just to be able to decrypt a file....but I will give that a go... 

    ...I already had UAC disabled on my development laptop where I also test this....so that doesn't make any difference.
    Thursday, March 29, 2018 8:40 AM