ERROR: "NMAS.DLL could not initialize cryptographic services or cryptographic services are not available. (-1497)"
(Last modified: 25Apr2005)
This document (10085576) is provided subject to the disclaimer at the end of this document.
fact
Novell Modular Authentication Service version 2.1.1
Novell Modular Authentication Service version 2.1 Enterprise Edition
Novell Modular Authentication Service version 2.1 Standard Edition
Novell ZENworks for Desktops 3.2
Novell ZENworks for Desktops 3.0
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
symptom
ERROR: "NMAS.DLL could not initialize cryptographic services or cryptographic services are not available. (-1497)"
Error -1497: CCS_E_AUTHENTICATION_FAILURE (0xFFFFFA27)
The workstation locks with the NMAS screen saver.
The NMAS module comes back with a -1497 error when trying to unlock the workstation from the screen saver.
In some cases, if the workstation stays in screen saver mode for an extended period of time, the problem occurs.
note
The problem seems more prevalent if NICI is upgraded on the workstation. Also seems to happen if NMAS has been upgraded. ZEN DLU seems to be part of equation, although it isn't clear if DLU is a part of the problem or not.
The -1497 error was seen when initializing Windows XP running Novell SecureLogin (NSL) version 3.51 in LDAP mode, with no Novell Client installed; but with the ZfD agent loaded.
fix
Resolved with NICI version 2.6.1 or later. These NICI updates can be found at download.novell.com.
In another instance the problem seemed to be caused by a corrupt DLU policy. Deleting and recreating the dlu policy after upgrading workstation NICI to version 2.6.1 resolved the issue.
note
Verify the setting of HKLM\Software\Novell\NICI\EnableUserProfileDirectory in the Windows registry. This setting needs to be in place when Zen is using dynamic users and the user has access restrictions on the system32 folder. If restrictions are in place, the user will not be able to access the system32\novell\nici directory. So, when they unlock the workstation, NICI tries to access the directory, without access, resulting in the 1497 error.
If you have upgraded from NICI 2.6.0 to NICI 2.6.1, you should not experience this problem because NICI will not take the EnableUserProfileDirectory setting out. However, if you uninstall 2.6.0 and then install 2.6.1, the setting will be lost with the uninstall and the -1497 may continue depending on the access rights to the system32\ directory. This will happen with XP and Windows2000.
The following was taken from the NICI admin guide. It explains setting EnableUserProfileDirectory.
Hivew - HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI
Users directories are created, by default, in %SystemRoot%\System32\novell\nici directory by the users name, e.g., c:\WINNT\System32\novell\nici\Administrator. In order to change the root directory in which all user directories are created by name, modify or create the string type registry entry UserDirectoryRoot in the NICI registry key, and set it to the desired root directory, for instance c:\Documents and Settings to create the NICI user configuration files in each users local profile path on a Windows 2000 system.
The user name is the name of the user owning the process that started NICI. If it is a local user, NICI uses the user name. If it is a remote or a domain user, NICI forms the user name as the combination of user name and domain separated by a dot, i.e., userName.domainName.
EnableUserProfileDirectory is not created by the NICI install, hence disabled. If set, existing NICI user files may need to be copied or moved to the new location. If user profile directory is enabled, NICI does not set the ACLs on this directory, it relies on existing security properties (ACLs, inheritance, and ownership) of the user?s profile directory: use this option very carefully as you may disclose all users NICI keys. NICI creates the Application\Novell\NICI directory if not present, and stores all NICI user files in this directory. This option is provided to enable the dynamic user creation/deletion feature in the Novell ZEN Works product. It must be set manually or by another application?s install, such as ZEN Works.
fix
Set EnableUserProfileDirectory. If EnableUserProfileDirectory is set, NICI will create the user directory under Documents and Settings\user profile\ instead of <SYSTEMROOT>\System32\Novell\NICI. The user has all rights to his own profile directory.
document
| Document Title: | ERROR: "NMAS.DLL could not initialize cryptographic services or cryptographic services are not available. (-1497)" |
| Document ID: | 10085576 |
| Solution ID: | NOVL91344 |
| Creation Date: | 29Jul2003 |
| Modified Date: | 25Apr2005 |
| Novell Product Class: | NetWare Novell eDirectory |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.