3

I am developing a c# .net 3.5 application on Windows 8.

I need to encrypt data using DPAPI. it works ok on all of my machine except from one machine where I get the following exception: System.Security.Cryptography.CryptographicException Message: Access is denied.

 byte[] bytes;
 bytes = ProtectedData.Protect(Encoding.UTF8.GetBytes(argsStr.ToString()), null, DataProtectionScope.CurrentUser);

when I change the DataProtectionScope.CurrentUser to DataProtectionScope.LocalMachine it works ok.

It seems that someone has denied the access of the current user to preform DAPI encryption

What can i do to fix this issue?

The application that fails is a console application running under the current logged in user.

When running the application using elevated privileges it still failed with access denied.

I tried to reset the login password and it solved the issue.

How can something like that happen?

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
user844541
  • 2,868
  • 5
  • 32
  • 60
  • We need more of your code. We need to know what type `argsStr` is exactly. The arguments of `ProtectedData.Protect` are two `byte` arrays – Security Hound Nov 13 '12 at 13:58
  • I tried to do it also with argsStr = string.empty. I don't think it's related to the string itself. – user844541 Nov 13 '12 at 14:08
  • If `argsStr` is already a string why are you converting it to a `string` by using ToString()? You didn't answer my question. **What type is `argsStr` exactly?** – Security Hound Nov 13 '12 at 14:16
  • specifically it's a StringDictionary but I created a new application that all it does is trying to call protect on a string.Empty and it still fails. – user844541 Nov 13 '12 at 14:19
  • What type of application is it? (Desktop app, ASP.NET app, Windows Service, etc). What type of user are you running as? Is the machine on which you're getting the problem unique/different in some way (e.g., if this is an ASP.NET application, is the machine your production server and is it under your control or hosted by a provider?) – Chris Nov 13 '12 at 14:32
  • @user844541 - If its a `StringDictionary` then `ToString()` is not doing what you think its doing. I wouldn't expecting sending 0 bytes to a method expecting a byte array to be valid behavior. – Security Hound Nov 13 '12 at 17:00
  • @ Ramhound -It works ok on all the other machines so I guess it is ok :) – user844541 Nov 13 '12 at 20:50

2 Answers2

2

This happened because the MasterKey of DPAPI was not in sync. Typical causes are :

  • password changed administratively (without providing the old one and not in a domain - net user administrator password)
  • third party authentication package

You can manually sync the MasterKey in code using CryptProtectData(CRYPTPROTECT_CRED_SYNC)

regards, vincent

user1973764
  • 31
  • 3
  • 1
    In case anyone needs the code required to do this in powershell, see here: https://social.technet.microsoft.com/Forums/lync/en-US/5dac39ca-9e44-4594-8637-feb78fada120/data-protection-in-pssession-access-is-denied?forum=winserverpowershell – bgh Jun 04 '19 at 05:26
2

I had the very same problem in a case when the user did not have a password defined on Windows 7. The solution was to set a password for the user.

treaschf
  • 5,788
  • 1
  • 25
  • 24