IBM Support

"Error with CAM passport" in Perspectives or Architect for roaming users only

Troubleshooting


Problem

Some users get this error message when trying to connect to a CAM-secured TM1 Server (IntegratedSecurityMode=5) through either Perspectives or Architect:
"Error with CAM passport"

The C8ITK.log in C:\Program Files\ibm\cognos\tm1_64\Logs contains this kind of error:

20201107 18:31:12.125 (v10.3.1.5)[1838:1088][ITKMMF.cpp L506] CryptProtectData failed

Users who do not have a roaming profile do not get that problem.

[ Read this Microsoft© document to know more about roaming profiles: https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles ]

Resolving The Problem

The underlying issue is a DPAPI MasterKey backup failure, that started with Microsoft© updates MS14-066, KB2992611, KB3000850, or newer updates that include these fixes.
This issue is described in the following document from Microsoft© web site:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/dpapi-masterkey-backup-failures
[...

When a user logs on to a computer for the first time and tries to encrypt data for the first time, the operating system must create a preferred DPAPI MasterKey, which is based on the user's current password. During the creation of the DPAPI MasterKey, An attempt is made to back up this master key by contacting an RWDC. If the backup fails, the MasterKey cannot be created and a 0x80090345 error is returned.

This failure is new behavior, which was introduced by KB2992611. In older operating systems and on systems that don't have KB2992611 installed, if the client fails to contact an RWDC during backup of the MasterKey, the creation of the master key is still allowed, and a local backup is created.

That is, the legacy behavior performs a local backup of the master key if no RWDC is available.

Consistent with the design brief that RODCs don't store secrets, RODCs do not store or handle the backup of the MasterKey. Therefore, in sites where no RWDC is available, the issues that are described in the "Symptoms" section may occur.

Note:

When a preferred master key exists but has expired (expired password case). an attempt to generate a new master key is made. If it's not possible to create a domain backup of the new master key, the client falls back to the old one, and the behavior that's described in the "Symptoms" section does not occur.

The problem occurs only if there's no MasterKey present and when the user has not logged on to the computer before.

...]
One solution is to avoid using roaming user profiles, but this may not be possible: for example, roaming profiles have to be used in a CITRIX farm architecture.
In that case, the only solution is to uninstall MS14-066, KB2992611, KB3000850 fixes.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCTEW","label":"IBM Planning Analytics Local"},"ARM Category":[{"code":"a8m50000000KzIkAAK","label":"Security"},{"code":"a8m0z000000blfjAAA","label":"Troubleshooting"},{"code":"a8m0z0000001i7nAAA","label":"perspective"}],"ARM Case Number":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Version(s)"}]

Document Information

Modified date:
12 November 2020

UID

ibm16367207

Page Feedback