[Samba] Private Key Unavailable After Domain Password Change
Bill.Baird at phoenixmi.com
Mon Sep 14 16:11:36 UTC 2020
We are currently running one AD DC on 4.11.12 and one on 4.10.17 (scheduled
for replacement later this month). Sometimes when a user changes their
domain password, we are seeing an issue where the private key is no longer
available. Users on Windows 10 v1909 or v2004. This does not happen to all
We have users connecting to one of our environments using OpenVPN. We have
been using the cryptoapicert option in the OpenVPN config and having it
reference a certificate/key we import to the user's account using certutil
(ex. "certutil -user -importpfx mycertkeypair.p12 NoExport") with the
NoExport option (or via mmc). (NoExport is so they can't export private key
and move to another system).
When the user changes their domain password then tries to connect to the
VPN, they get these errors below. If we manually re-import the certificate,
everything works properly. Because of this, I don't believe this is an
issue with OpenVPN.
cryptoapi:CryptAcquireCertificatePrivateKey:Keyset does not exist*
*- Cannot load certificate: SUBJ:mycertkeypair" from Microsoft Certificate
I found this old bug which looks very similar, but was supposed to be fixed
as of 4.2.0?
Has anyone else seen this, or have any ideas on how to allow private keys
to persist password changes for all users?
This electronic message, including its attachments (if any), is
CONFIDENTIAL and may contain PROPRIETARY or LEGALLY PRIVILEGED information.
If you are not the intended recipient, you are hereby notified that any
use, disclosure, copying, or distribution of this message, its attachments,
or any of the information included therein, is unauthorized and strictly
prohibited. If you have received this message in error, please immediately
notify the sender by reply e-mail and permanently delete this message and
its attachments, along with any copies thereof.
More information about the samba