Here's the scenario:
- The import of a PFX file seems to be successful, but afterwards the private key is missing. A check with certutil ends with the error message "Missing stored keyset".
- Requesting a certificate on a client fails with the following error message:
The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).
Cause
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
As it turned out, the client in question was located in a DMZ-like network segment and was only able to communicate with a read-only domain controller (RODC), but not with a writeable domain controller. The latter was prevented by a firewall.
As a result, the client was not able to perform a backup of the Data Protection API (DPAPI) master key to the Active Directory. Since private keys of certificates are also protected with the DPAPI, provided they have a software-based Cryptographic Service Provider (CSP) or Key Storage Provider (KSP) so no keys could be generated or imported.
The problem and behavior are described in the following Microsoft Knowledge Base article: DPAPI MasterKey backup failures when RWDC isn't available.
"When a user logs on to a computer for the first time and tries to encrypt data for the first time, the operating system must create a preferred DPAPI MasterKey, which is based on the user's current password. During the creation of the DPAPI MasterKey, an attempt is made to back up this master key by contacting a RWDC. If the backup fails, the MasterKey cannot be created and a 0x80090345 error is returned."
There are the following ways to solve the problem:
- Provide the client with access to a writable domain controller.
- Prevent the DPAPI master key from being backed up to Active Directory, although this is not recommended and should only be used if the logged-in users do not move between different computers.