none
Credential Manager Problems - Error 0x80090345 RRS feed

  • Question

  • Recently we migrated from Win2k3 to a Linux Zentyal server running samba 4 as a PDC. We have 15 workstations that were on the Win2k3 domain previous (ess.local) and we switched these over to workgroup and back onto the Zentyal server (also ess.local) that operation went flawless and the workstations appeared fine. However that was only skin deep. Upon launching Outlook and filling in the POP3 credentials it failed with a -ERR PASS [AUTH] type error. After much diagnosing I have used wireshark to determine that regardless of the password entered for the POP3 account Outlook 2013 is sending a /r/n. Other small mail clients work fine as does a raw telnet session on port 110.

    I tried many different outlook command line switches, deleting registry entries for Outlook to no avail.  Something I discovered afterwards was I could not go into Control Panel -> Credential Manager. It errors with 0x80090345 which isn't a terribly useful error. Any webpages that have username/passwords will not save (in fact it doesn't even let me click Not for this site).

    A fresh install of Win8.1 in a VM does not have this issue when joined to the domain. Does anyone have any ideas what I could pursue to help solve this?

    Monday, December 1, 2014 11:47 PM

Answers

  • Finally narrowed it down to one update: The culprit is the KB2992611.

    If you uninstall this update the Credential Manager is working again and so is the Outlook authentication. This seems to be a very controversial update and it seems MS already tried to fix some of the known caveats (just google you will find a lot of stuff). On the other hand it seems to be one of the more critical security patches also.

    I'm not sure if there is a general problem with this update and NT style domains or if it just affects Samba domains. However you should also make sure not to install the latest update rollup from Nov 2014 KB3000850 and probably neither any future update rollups (they are usually listed under optional).

    Making sure both KB2992611 and KB3000850 are on the exception list seems to be an acceptable workaround for now.

    Sunday, December 14, 2014 9:36 PM
  • 0x80090345 which isn't a terribly useful error. Any webpages that have username/passwords will not save (in fact it doesn't even let me click Not for this site).


    http://msdn.microsoft.com/en-us/library/windows/desktop/dd542646(v=vs.85).aspx

    (Google search for
       0x80090345 site:microsoft.com codes
    )

    <quote>

    SEC_E_DELEGATION_REQUIRED
    0x80090345

    The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.

    </quote>

    So, is it a problem with that account?  Try elevating the Credential Manager? 

    Question:  How?  ProcExp Find tool shows that process is explorer.exe which is always run unelevated and we are not given any clues about which thread it is or how it is started.

    Then let's try ProcMon.

    Looks like it might be this:

    C:\windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

    So, what happens if we try starting that from an elevated cmd window?...

    Something happened but nothing externally, so perhaps it is the wrong one?  RegEdit indicates it could have something to do with opening the Control Panel.

    Well, one thing that I know you could do is kill explorer.exe and then use Task Manager to start it elevated.  Doing that would mean that you could not use  Win-w cred man  to find Credential Manager but we can get into it from Control Panel.  I don't think it would work to try elevating control.exe without killing explorer.exe or elevating it first because otherwise Credential Manager might still end up not being elevated.  TBD.

    Good luck



    Robert Aldwinckle
    ---

    Tuesday, December 2, 2014 5:08 PM

All replies

  • 0x80090345 which isn't a terribly useful error. Any webpages that have username/passwords will not save (in fact it doesn't even let me click Not for this site).


    http://msdn.microsoft.com/en-us/library/windows/desktop/dd542646(v=vs.85).aspx

    (Google search for
       0x80090345 site:microsoft.com codes
    )

    <quote>

    SEC_E_DELEGATION_REQUIRED
    0x80090345

    The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.

    </quote>

    So, is it a problem with that account?  Try elevating the Credential Manager? 

    Question:  How?  ProcExp Find tool shows that process is explorer.exe which is always run unelevated and we are not given any clues about which thread it is or how it is started.

    Then let's try ProcMon.

    Looks like it might be this:

    C:\windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

    So, what happens if we try starting that from an elevated cmd window?...

    Something happened but nothing externally, so perhaps it is the wrong one?  RegEdit indicates it could have something to do with opening the Control Panel.

    Well, one thing that I know you could do is kill explorer.exe and then use Task Manager to start it elevated.  Doing that would mean that you could not use  Win-w cred man  to find Credential Manager but we can get into it from Control Panel.  I don't think it would work to try elevating control.exe without killing explorer.exe or elevating it first because otherwise Credential Manager might still end up not being elevated.  TBD.

    Good luck



    Robert Aldwinckle
    ---

    Tuesday, December 2, 2014 5:08 PM
  • I came across exactly the same problem, though the Windows 8.1 clients are freshly installed and newly joined to a Samba 3.6.3 domain.

    I first recognized the problem with Outlook not taking the credentials and then finding that the Credential Manager won't start with error 0x80090345.

    If I use a local user it works without a problem so it must have something to do with the domain users.

    Interestingly I have two "older" Win 8.1 clients with user A and user B where everything works just fine. But when I try it with user C on one of the older clients it also does not work. Vice versa, when I use user A on one of the newer workstations it also does not work. I'm concluding that it does not really affect specific users and also not specific workstations. Could be something in newly created profiles which is the reason? I'll try to compare the registry user hives of user A and C and see if I find something.


    • Edited by MikCik Wednesday, December 10, 2014 11:26 AM
    Wednesday, December 10, 2014 11:14 AM
  • OMG if you figure this out please let me know, I've been slaving away for a week on this issue and coming up short. I am resorting to fresh installs on about 15 workstations using a sysprep image which BTW I just tried it after installing about 6 of their programs and sysprepping it to is doing the same thing. I am thinking it's related to AVAST antivirus which cause sysprep restore to fail.

    It is infuriating me to no end.

    Wednesday, December 10, 2014 6:07 PM
  • Finally narrowed it down to one update: The culprit is the KB2992611.

    If you uninstall this update the Credential Manager is working again and so is the Outlook authentication. This seems to be a very controversial update and it seems MS already tried to fix some of the known caveats (just google you will find a lot of stuff). On the other hand it seems to be one of the more critical security patches also.

    I'm not sure if there is a general problem with this update and NT style domains or if it just affects Samba domains. However you should also make sure not to install the latest update rollup from Nov 2014 KB3000850 and probably neither any future update rollups (they are usually listed under optional).

    Making sure both KB2992611 and KB3000850 are on the exception list seems to be an acceptable workaround for now.

    Sunday, December 14, 2014 9:36 PM
  • Ah, and one more. Like I speculated the update does not affect existing user profiles. Only newly created ones after KB2992611 has been installed. Interestingly uninstalling the patch immediately results in "broken" profiles working again without the need to recreate them.
    Sunday, December 14, 2014 9:40 PM
  • OMG NOOOOO WAYYYYY!!!! We ended up doing a 15 machine fresh rollout!!! However I do commend you for taking the time to track this down it was DRIVING ME NUTS. I have gotten the other technician to bookmark this for future reference as it could help deployment in the future. Actually on a VM I installed every available update (including the optional KB3000850) after I had joined the domain and the credential manager worked fine for that profile.
    Monday, December 15, 2014 12:00 PM
  • Hello,

    I thought I would post to mention that I've been chasing the same issue with CatalystIT - some Samba developers we pay for support with - and they can confirm this is a Samba problem. Samba did not implement certain parts of the BackupKey Remote Protocol (MS-BKRP). They are working on a patch, hopefully it will be included in some 4.2.x branch.

    Thursday, February 12, 2015 10:25 AM
  • I had similar problem. Fresh Windows 8.1 installation and user account (administrator) working with Samba domain controler. Credential manager also didn't work with 0x80090345 error. But my real problem occured in one of the administrative tools: users and computers in active directory. It worked well exluding one: i coudn't change users passwords. I got message about delegation (mentioned above) every time i tried to change password.

    On the other 8.1 station it works well. What is the difference? KB3000850. On problematic computer it is installed. On working one, it is not. That is what I know for now.

    Wednesday, February 25, 2015 11:13 AM
  • ITLMAX: thanks for the heads up!

    The problem seems to be fixed in Samba 4.2 (released today) according to this bug tracker: https://bugzilla.samba.org/show_bug.cgi?id=11097

    Wednesday, March 4, 2015 9:51 PM
  • Ok, same problem here.

    Moved my Windows 8.1 clients to a new domain, Domain Controller is a QNAP NAS and so Samba based.

    I removed KB3000850 on the client, one reboot and Windows Update installed the Patch again.

    Second try, I disabled Windows Update, removed the Patch, reboot - again reinstalled by Windows Update and so still the Credential Manager problem.

    So Patch is in Download Cache of Windows Update - how I solve this problem?
    Remove the whole Windows Update Cache or is there a smarter solution available?

    Best regards

    Bernd

    Monday, April 27, 2015 10:16 AM
  • I've uninstalled KB2992611 and KB3000850 but am still getting this error. Are there any other newer updates that need to be uninstalled until this is solved?. There seems very little about this error on the net given the widespead issues it is causing?
    Friday, May 29, 2015 6:47 AM
  • Hi, I had the same issue on a new Windows 8.1 PC.

    After going down the path of uninstalling and reinstalling batches of updates, it now seems to be working.

    The odd thing is that it is now working with all updates reinstalled. I don't know if Microsoft pulled one of their updates?

    Friday, May 29, 2015 12:44 PM
  • Just to add to this..

    Credential Manager now works in my admin domain account (along with the local account).

    This still doesn't work in multiple user domain account.

    I've also removed the roaming profile from the PC and re-downloaded. Also, I've uninstalled the latest 9 updates with no success

    Friday, May 29, 2015 1:04 PM
  • Hi everyone, I find something else today, i was trying to made a new install of Windows 8.1 today. I try to install every update one by one. 3 of thoses update is wrong with Zentyal 4.1 - KB3000850 - KB2992611 - KB3038562 If this will help you. I know is not a real solution. Thanks Cédric
    Wednesday, June 10, 2015 6:07 PM
  • Hi I am facing the same error and I check my update as well there is no KB2992611 security update but I still stuck. Can you help me abt that how to resolv this?
    Thursday, July 2, 2015 10:55 AM
  • Hi everyone, I find something else today, i was trying to made a new install of Windows 8.1 today. I try to install every update one by one. 3 of thoses update is wrong with Zentyal 4.1 - KB3000850 - KB2992611 - KB3038562 If this will help you. I know is not a real solution. Thanks Cédric

    The same behavior on Windows 2012 R2 (which "resembles" Windows 8.1) terminal server connected to AD domain controller on Samba in Ubuntu 14.04 Samba (4.1.6+dfsg).

    A few months ago on another Windows 2012 R2 terminal server removing only two first updates had helped.

    Today removing KB3000850 and KB2992611 on different server (connected to another Ubuntu/Samba 4.1.6+dfsg based AD) did not help but after we additionally removed KB3038562 we could add account in outlook.

    Since there seems to be samba bug also pointed above (https://bugzilla.samba.org/show_bug.cgi?id=11097), we will try it and let you know.



    • Edited by paworz Tuesday, July 7, 2015 9:11 AM
    Tuesday, July 7, 2015 7:46 AM
  • Hello,

    Just to add that if you do manage to upgrade Samba to 4.2 it is still possible to hit the same symptoms again. There is some sort of key stored in the Samba DC that has to be removed as well. It can be removed using an LDIF file:

    dn: CN=BCKUPKEY_PREFERRED Secret,CN=System,DC=example,DC=com

    changetype: delete

    Executing the above LDIF against your Samba's LDAP tree will delete that entry and it will regenerate automatically.

    Friday, July 10, 2015 11:19 AM
  • Just resolved this issue with no necessity to remove KB3000850.

    At KB3000850 page has a workaround that works.

    The ProtectionPolicy value must be a DWORD.

    Workaround
    To work around this problem, set the value of the ProtectionPolicy registry entry to 1 to enable local backup of the MasterKey instead of requiring a RWDC in the following registry subkey:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb

    • Proposed as answer by EricBerry Tuesday, October 20, 2015 5:28 PM
    Tuesday, August 4, 2015 3:32 PM
  • THANK YOU! You have no idea the lengths I've gone to fix this. Was the KB3000850 recently updated with that info?
    Monday, August 10, 2015 4:35 PM
  • Thank you very much. 2 days wasted until i found this answer, Chrome sync wasn't working, VS 2013 or the mail client
    Thursday, August 27, 2015 12:42 PM
  • Finally narrowed it down to one update: The culprit is the KB2992611.

    If you uninstall this update the Credential Manager is working again and so is the Outlook authentication. This seems to be a very controversial update and it seems MS already tried to fix some of the known caveats (just google you will find a lot of stuff). On the other hand it seems to be one of the more critical security patches also.

    I'm not sure if there is a general problem with this update and NT style domains or if it just affects Samba domains. However you should also make sure not to install the latest update rollup from Nov 2014 KB3000850 and probably neither any future update rollups (they are usually listed under optional).

    Making sure both KB2992611 and KB3000850 are on the exception list seems to be an acceptable workaround for now.

    Hello MakCik,
    I'm having the exact same problem, but I just bought 2 laptops so they came with the update already installed. What can I do?
    Tuesday, November 3, 2015 1:20 AM
  • Perfect! Thank you very much.
    Tuesday, November 10, 2015 12:54 PM
  • Additionally the resolution with ProtectionPolicy registry key resolved with us (Windows 10 with Samba AD 4.1.17):

    - Dropbox not wanting to start reporting the same error

    - Very slow typing into remote desktop manager computer name field

    Monday, April 25, 2016 8:40 AM
  • Just resolved this issue with no necessity to remove KB3000850.

    At KB3000850 page has a workaround that works.

    The ProtectionPolicy value must be a DWORD.

    Workaround
    To work around this problem, set the value of the ProtectionPolicy registry entry to 1 to enable local backup of the MasterKey instead of requiring a RWDC in the following registry subkey:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb

    Thank you. Thank you. Thank you.

    A fresh out of the box Windows 10 HP laptop, updated, installed MS Office 2007, domain joined. Could not get Outlook to connect to O365 email account. Tried for 3 hours. Was on the verge of fresh install of everything and tried to get into the credential manager for one last go. Got this error. Led me here. None of the KBs listed here are installed on the laptop so was about to give up when I saw about the reg change. It works! Relief doesn't quite seem to cover it!

    Wednesday, December 14, 2016 8:45 AM
  • Thank you very much for the registry post (added your DWORD ProtectionPolicy=1). It worked now even in Windows 10, when all the above mentioned KBs was not visible as they was part of cummulative update.
    Thursday, April 6, 2017 9:15 AM
  • Just resolved this issue with no necessity to remove KB3000850.

    At KB3000850 page has a workaround that works.

    The ProtectionPolicy value must be a DWORD.

    Workaround
    To work around this problem, set the value of the ProtectionPolicy registry entry to 1 to enable local backup of the MasterKey instead of requiring a RWDC in the following registry subkey:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb

    Thank you. Thank you. Thank you.

    A fresh out of the box Windows 10 HP laptop, updated, installed MS Office 2007, domain joined. Could not get Outlook to connect to O365 email account. Tried for 3 hours. Was on the verge of fresh install of everything and tried to get into the credential manager for one last go. Got this error. Led me here. None of the KBs listed here are installed on the laptop so was about to give up when I saw about the reg change. It works! Relief doesn't quite seem to cover it!

    Yep this solves the problem when you have a read only DC also and so creds need to be stored locally. many hours saved thanks
    Friday, June 30, 2017 10:57 AM
  • run regedit

    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb

    Change the value of “ProtectionPolicy” to “1″

    if ProtectionPolicy dosen't exist, Add DWORD (32bit) Value and then change the value to 1


    Mohamed Azoz

    • Proposed as answer by -Jay- Friday, November 2, 2018 8:27 AM
    Thursday, March 1, 2018 2:18 AM
  • Thank you..Resolved the problem 
    Friday, August 24, 2018 2:11 PM
  • Thank you Azoz
    • Edited by Maher Nada Wednesday, September 26, 2018 12:40 AM
    Friday, August 31, 2018 6:44 AM