Troubleshooting
Problem
The C8ITK.log in C:\Program Files\ibm\cognos\tm1_64\Logs contains this kind of error:
20201107 18:31:12.125 (v10.3.1.5)[1838:1088][ITKMMF.cpp L506] CryptProtectData failed
Users who do not have a roaming profile do not get that problem.
Resolving The Problem
When a user logs on to a computer for the first time and tries to encrypt data for the first time, the operating system must create a preferred DPAPI MasterKey, which is based on the user's current password. During the creation of the DPAPI MasterKey, An attempt is made to back up this master key by contacting an RWDC. If the backup fails, the MasterKey cannot be created and a 0x80090345 error is returned.
This failure is new behavior, which was introduced by KB2992611. In older operating systems and on systems that don't have KB2992611 installed, if the client fails to contact an RWDC during backup of the MasterKey, the creation of the master key is still allowed, and a local backup is created.
That is, the legacy behavior performs a local backup of the master key if no RWDC is available.
Consistent with the design brief that RODCs don't store secrets, RODCs do not store or handle the backup of the MasterKey. Therefore, in sites where no RWDC is available, the issues that are described in the "Symptoms" section may occur.
Note:
When a preferred master key exists but has expired (expired password case). an attempt to generate a new master key is made. If it's not possible to create a domain backup of the new master key, the client falls back to the old one, and the behavior that's described in the "Symptoms" section does not occur.
The problem occurs only if there's no MasterKey present and when the user has not logged on to the computer before.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
12 November 2020
UID
ibm16367207