DPAPI NG - NCryptProtectSecret returns NTE_ENCRYPTION_FAILURE

3

I am trying to encrypt data using DPAPI-NG but it fails on execution of NCryptProtectSecret, it returns:

0x80090034 (NTE_ENCRYPTION_FAILURE)

I have created NCryptCreateProtectionDescriptor with local user SID:

"SID=S-1-5-21-2942599413-360359348-3087651068-500"

Then I use this instance of descriptor as input for NCryptProtectSecret, but it does not work.

If I use a protection descriptor of:

"LOCAL=user"

everything seems okay, but it does not work with SID for user or group. I have tested this on Windows Server 2012R2 and Windows Server 2016.

Any idea?

Here is a code sample:

SECURITY_STATUS Status;
PBYTE       ProtectedData = NULL;
ULONG       ProtectedDataLength = 0;
NCRYPT_DESCRIPTOR_HANDLE    DescriptorHandle = NULL;
LPCWSTR ProtectionDescString = L"SID=S-1-5-21-2942599413-360359348-3087651068-500";

Status = NCryptCreateProtectionDescriptor(
                                        ProtectionDescString,
                                        0,
                                        &DescriptorHandle
                                        );      
// Status is ERROR_SUCCESS (zero)


LPCWSTR SecretString = L"Some message to protect";
PBYTE Secret = (PBYTE)SecretString;
DWORD SecretLength = (ULONG)( (wcslen(SecretString)+1)*sizeof(WCHAR) );

Status = NCryptProtectSecret(
                        DescriptorHandle,
                        0,
                        PlainText,
                        PlainTextLength,
                        NULL, // Use default allocations by LocalAlloc/LocalFree
                        NULL, // Use default parent windows handle.
                        &ProtectedData,  // out LocalFree
                        &ProtectedDataLength
                        );

**// Status == NTE_ENCRYPTION_FAILURE**
windows-server-2012-r2
dpapi
cng
asked on Stack Overflow Oct 22, 2016 by Zeljko • edited Oct 5, 2017 by Ian Boyd

4 Answers

2

I ran into this problem and found that the cause was our domain was running at a functional level that was less than 2012. After upgrading the domain to 2012 the problem was resolved.

A quick and easy way to determine the functional level is the following PowerShell cmdlet

[system.directoryservices.activedirectory.Forest]::GetCurrentForest().ForestMode
answered on Stack Overflow Jul 18, 2017 by Paul Mead
1

Replace PlainText and PlainTextLength with Secret and SecretLength.

answered on Stack Overflow Dec 27, 2016 by Miksha • edited Dec 27, 2016 by Miksha
0

I haven't figured out what was the problem, but everything worked fine in different domain. Microsoft also confirmed that working example that we have sent to them was correct, but they didn't explain what was be the problem.

answered on Stack Overflow Apr 5, 2017 by Zeljko
0

Check that the user running the application really is user

S-1-5-21-2942599413-360359348-3087651068-500

You can test this from and command prompt:

>whoami /user

USER INFORMATION
----------------

User Name     SID
============= ============================================
erbium\zeljko S-1-5-21-2942599413-360359348-3087651068-500

I got the NTE_ENCRYPTION_FAILURE when i was attempting to use a Group SID that i didn't actually have (the Domain Users group).

It might be you simply have the wrong sid compared to who is running the code.

answered on Stack Overflow Oct 5, 2017 by Ian Boyd

User contributions licensed under CC BY-SA 3.0