Credential Manager Problems - Error 0x80090345
Recently we migrated from Win2k3 to a Linux Zentyal server running samba 4 as a PDC. We have 15 workstations that were on the Win2k3 domain previous (ess.local) and we switched these over to workgroup and back onto the Zentyal server (also ess.local) that
operation went flawless and the workstations appeared fine. However that was only skin deep. Upon launching Outlook and filling in the POP3 credentials it failed with a -ERR PASS [AUTH] type error. After much diagnosing I have used wireshark to determine that
regardless of the password entered for the POP3 account Outlook 2013 is sending a /r/n. Other small mail clients work fine as does a raw telnet session on port 110.
I tried many different outlook command line switches, deleting registry entries for Outlook to no avail. Something I discovered afterwards was I could not go into Control Panel -> Credential Manager. It errors with 0x80090345 which isn't a terribly
useful error. Any webpages that have username/passwords will not save (in fact it doesn't even let me click Not for this site).
A fresh install of Win8.1 in a VM does not have this issue when joined to the domain. Does anyone have any ideas what I could pursue to help solve this?
December 2nd, 2014 2:47am
0x80090345 which isn't a terribly useful error. Any webpages that have username/passwords will not save (in fact it doesn't even let me click Not for this site).
http://msdn.microsoft.com/en-us/library/windows/desktop/dd542646(v=vs.85).aspx
(Google search for
0x80090345 site:microsoft.com codes
)
<quote>
- SEC_E_DELEGATION_REQUIRED
- 0x80090345
|
The requested operation cannot be completed. The computer must be trusted for delegation and
the current user account must be configured to allow delegation.
|
</quote>
So, is it a problem with that account? Try elevating the Credential Manager?
Question: How? ProcExp Find tool shows that process is explorer.exe which is always run unelevated and we are not given any clues about which thread it is or how it is started.
Then let's try ProcMon.
Looks like it might be this:
C:\windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
So, what happens if we try starting that from an elevated cmd window?...
Something happened but nothing externally, so perhaps it is the wrong one? RegEdit indicates it could have something to do with opening the Control Panel.
Well, one thing that I know you could do is kill explorer.exe and then use Task Manager to start it elevated. Doing that would mean that you could not use
Win-w cred man to find Credential Manager but we can get into it from Control Panel. I don't think it would work to try elevating control.exe without killing explorer.exe or elevating it first because otherwise Credential Manager might
still end up not being elevated. TBD.
Good luck
December 2nd, 2014 8:08pm
I came across exactly the same problem, though the Windows 8.1 clients are freshly installed and newly joined to a Samba
3.6.3 domain.
I first recognized the problem with Outlook not taking the credentials and then finding that the Credential Manager won't start with error 0x80090345.
If I use a local user it works without a problem so it must have something to do with the domain users.
Interestingly I have two "older" Win 8.1 clients with user A and user B where everything works just fine. But when I try it with user C on one of the older clients it also does not work. Vice versa, when I use user A on one of the newer workstations
it also does not work. I'm concluding that it does not really affect specific users and also not specific workstations. Could be something in newly created profiles which is the reason? I'll try to compare the registry user hives of user A and C and see if
I find something.
-
Edited by
MikCik
Wednesday, December 10, 2014 11:26 AM
December 10th, 2014 11:14am
I came across exactly the same problem, though the Windows 8.1 clients are freshly installed and newly joined to a Samba
3.6.3 domain.
I first recognized the problem with Outlook not taking the credentials and then finding that the Credential Manager won't start with error 0x80090345.
If I use a local user it works without a problem so it must have something to do with the domain users.
Interestingly I have two "older" Win 8.1 clients with user A and user B where everything works just fine. But when I try it with user C on one of the older clients it also does not work. Vice versa, when I use user A on one of the newer workstations
it also does not work. I'm concluding that it does not really affect specific users and also not specific workstations. Could be something in newly created profiles which is the reason? I'll try to compare the registry user hives of user A and C and see if
I find something.
-
Edited by
MikCik
Wednesday, December 10, 2014 11:26 AM
December 10th, 2014 11:14am
I came across exactly the same problem, though the Windows 8.1 clients are freshly installed and newly joined to a Samba
3.6.3 domain.
I first recognized the problem with Outlook not taking the credentials and then finding that the Credential Manager won't start with error 0x80090345.
If I use a local user it works without a problem so it must have something to do with the domain users.
Interestingly I have two "older" Win 8.1 clients with user A and user B where everything works just fine. But when I try it with user C on one of the older clients it also does not work. Vice versa, when I use user A on one of the newer workstations
it also does not work. I'm concluding that it does not really affect specific users and also not specific workstations. Could be something in newly created profiles which is the reason? I'll try to compare the registry user hives of user A and C and see if
I find something.
-
Edited by
MikCik
Wednesday, December 10, 2014 11:26 AM
December 10th, 2014 11:14am
I came across exactly the same problem, though the Windows 8.1 clients are freshly installed and newly joined to a Samba
3.6.3 domain.
I first recognized the problem with Outlook not taking the credentials and then finding that the Credential Manager won't start with error 0x80090345.
If I use a local user it works without a problem so it must have something to do with the domain users.
Interestingly I have two "older" Win 8.1 clients with user A and user B where everything works just fine. But when I try it with user C on one of the older clients it also does not work. Vice versa, when I use user A on one of the newer workstations
it also does not work. I'm concluding that it does not really affect specific users and also not specific workstations. Could be something in newly created profiles which is the reason? I'll try to compare the registry user hives of user A and C and see if
I find something.
-
Edited by
MikCik
Wednesday, December 10, 2014 11:26 AM
December 10th, 2014 11:14am
I came across exactly the same problem, though the Windows 8.1 clients are freshly installed and newly joined to a Samba
3.6.3 domain.
I first recognized the problem with Outlook not taking the credentials and then finding that the Credential Manager won't start with error 0x80090345.
If I use a local user it works without a problem so it must have something to do with the domain users.
Interestingly I have two "older" Win 8.1 clients with user A and user B where everything works just fine. But when I try it with user C on one of the older clients it also does not work. Vice versa, when I use user A on one of the newer workstations
it also does not work. I'm concluding that it does not really affect specific users and also not specific workstations. Could be something in newly created profiles which is the reason? I'll try to compare the registry user hives of user A and C and see if
I find something.
-
Edited by
MikCik
Wednesday, December 10, 2014 11:26 AM
December 10th, 2014 2:14pm
OMG if you figure this out please let me know, I've been slaving away for a week on this issue and coming up short. I am resorting to fresh installs on about 15 workstations using a sysprep image which BTW I just tried it after installing about 6 of their
programs and sysprepping it to is doing the same thing. I am thinking it's related to AVAST antivirus which cause sysprep restore to fail.
It is infuriating me to no end.
December 10th, 2014 9:07pm
Finally narrowed it down to one update: The culprit is the KB2992611.
If you uninstall this update the Credential Manager is working again and so is the Outlook authentication. This seems to be a very controversial update and it seems MS already tried to fix some of the known caveats (just google you will find a lot of stuff).
On the other hand it seems to be one of the more critical security patches also.
I'm not sure if there is a general problem with this update and NT style domains or if it just affects Samba domains. However you should also make sure not to install the latest update rollup from Nov 2014
KB3000850 and probably neither any future update rollups (they are usually listed under optional).
Making sure both KB2992611 and KB3000850 are on the exception list seems to be an acceptable workaround for now.
-
Proposed as answer by
je55e
Friday, April 10, 2015 5:54 PM
December 14th, 2014 9:36pm
Finally narrowed it down to one update: The culprit is the KB2992611.
If you uninstall this update the Credential Manager is working again and so is the Outlook authentication. This seems to be a very controversial update and it seems MS already tried to fix some of the known caveats (just google you will find a lot of stuff).
On the other hand it seems to be one of the more critical security patches also.
I'm not sure if there is a general problem with this update and NT style domains or if it just affects Samba domains. However you should also make sure not to install the latest update rollup from Nov 2014
KB3000850 and probably neither any future update rollups (they are usually listed under optional).
Making sure both KB2992611 and KB3000850 are on the exception list seems to be an acceptable workaround for now.
-
Proposed as answer by
je55e
Friday, April 10, 2015 5:54 PM
December 14th, 2014 9:36pm
Finally narrowed it down to one update: The culprit is the KB2992611.
If you uninstall this update the Credential Manager is working again and so is the Outlook authentication. This seems to be a very controversial update and it seems MS already tried to fix some of the known caveats (just google you will find a lot of stuff).
On the other hand it seems to be one of the more critical security patches also.
I'm not sure if there is a general problem with this update and NT style domains or if it just affects Samba domains. However you should also make sure not to install the latest update rollup from Nov 2014
KB3000850 and probably neither any future update rollups (they are usually listed under optional).
Making sure both KB2992611 and KB3000850 are on the exception list seems to be an acceptable workaround for now.
-
Proposed as answer by
je55e
Friday, April 10, 2015 5:54 PM
December 14th, 2014 9:36pm
Finally narrowed it down to one update: The culprit is the KB2992611.
If you uninstall this update the Credential Manager is working again and so is the Outlook authentication. This seems to be a very controversial update and it seems MS already tried to fix some of the known caveats (just google you will find a lot of stuff).
On the other hand it seems to be one of the more critical security patches also.
I'm not sure if there is a general problem with this update and NT style domains or if it just affects Samba domains. However you should also make sure not to install the latest update rollup from Nov 2014
KB3000850 and probably neither any future update rollups (they are usually listed under optional).
Making sure both KB2992611 and KB3000850 are on the exception list seems to be an acceptable workaround for now.
-
Proposed as answer by
je55e
Friday, April 10, 2015 5:54 PM
December 14th, 2014 9:36pm
Finally narrowed it down to one update: The culprit is the KB2992611.
If you uninstall this update the Credential Manager is working again and so is the Outlook authentication. This seems to be a very controversial update and it seems MS already tried to fix some of the known caveats (just google you will find a lot of stuff).
On the other hand it seems to be one of the more critical security patches also.
I'm not sure if there is a general problem with this update and NT style domains or if it just affects Samba domains. However you should also make sure not to install the latest update rollup from Nov 2014
KB3000850 and probably neither any future update rollups (they are usually listed under optional).
Making sure both KB2992611 and KB3000850 are on the exception list seems to be an acceptable workaround for now.
-
Proposed as answer by
je55e
Friday, April 10, 2015 5:54 PM
-
Marked as answer by
Brandon RecordsModerator
Saturday, June 13, 2015 3:33 PM
December 14th, 2014 9:36pm
Finally narrowed it down to one update: The culprit is the KB2992611.
If you uninstall this update the Credential Manager is working again and so is the Outlook authentication. This seems to be a very controversial update and it seems MS already tried to fix some of the known caveats (just google you will find a lot of stuff).
On the other hand it seems to be one of the more critical security patches also.
I'm not sure if there is a general problem with this update and NT style domains or if it just affects Samba domains. However you should also make sure not to install the latest update rollup from Nov 2014
KB3000850 and probably neither any future update rollups (they are usually listed under optional).
Making sure both KB2992611 and KB3000850 are on the exception list seems to be an acceptable workaround for now.
-
Proposed as answer by
je55e
Friday, April 10, 2015 5:54 PM
-
Marked as answer by
Brandon RecordsModerator
Saturday, June 13, 2015 3:33 PM
December 14th, 2014 9:36pm
Finally narrowed it down to one update: The culprit is the KB2992611.
If you uninstall this update the Credential Manager is working again and so is the Outlook authentication. This seems to be a very controversial update and it seems MS already tried to fix some of the known caveats (just google you will find a lot of stuff).
On the other hand it seems to be one of the more critical security patches also.
I'm not sure if there is a general problem with this update and NT style domains or if it just affects Samba domains. However you should also make sure not to install the latest update rollup from Nov 2014
KB3000850 and probably neither any future update rollups (they are usually listed under optional).
Making sure both KB2992611 and KB3000850 are on the exception list seems to be an acceptable workaround for now.
-
Proposed as answer by
je55e
Friday, April 10, 2015 5:54 PM
-
Marked as answer by
Brandon RecordsModerator
Saturday, June 13, 2015 3:33 PM
December 14th, 2014 9:36pm
Finally narrowed it down to one update: The culprit is the KB2992611.
If you uninstall this update the Credential Manager is working again and so is the Outlook authentication. This seems to be a very controversial update and it seems MS already tried to fix some of the known caveats (just google you will find a lot of stuff).
On the other hand it seems to be one of the more critical security patches also.
I'm not sure if there is a general problem with this update and NT style domains or if it just affects Samba domains. However you should also make sure not to install the latest update rollup from Nov 2014
KB3000850 and probably neither any future update rollups (they are usually listed under optional).
Making sure both KB2992611 and KB3000850 are on the exception list seems to be an acceptable workaround for now.
-
Proposed as answer by
je55e
Friday, April 10, 2015 5:54 PM
-
Marked as answer by
Brandon RecordsModerator
Saturday, June 13, 2015 3:33 PM
December 14th, 2014 9:36pm
Finally narrowed it down to one update: The culprit is the KB2992611.
If you uninstall this update the Credential Manager is working again and so is the Outlook authentication. This seems to be a very controversial update and it seems MS already tried to fix some of the known caveats (just google you will find a lot of stuff).
On the other hand it seems to be one of the more critical security patches also.
I'm not sure if there is a general problem with this update and NT style domains or if it just affects Samba domains. However you should also make sure not to install the latest update rollup from Nov 2014
KB3000850 and probably neither any future update rollups (they are usually listed under optional).
Making sure both KB2992611 and KB3000850 are on the exception list seems to be an acceptable workaround for now.
December 15th, 2014 12:36am
Ah, and one more. Like I speculated the update does not affect existing user profiles. Only newly created ones after KB2992611 has been installed. Interestingly uninstalling the patch immediately results in "broken" profiles working again without
the need to recreate them.
December 15th, 2014 12:40am
OMG NOOOOO WAYYYYY!!!! We ended up doing a 15 machine fresh rollout!!! However I do commend you for taking the time to track this down it was DRIVING ME NUTS. I have gotten the other technician to bookmark this for future reference as it could help deployment
in the future. Actually on a VM I installed every available update (including the optional KB3000850) after I had joined the domain and the credential manager worked fine for that profile.
December 15th, 2014 3:00pm
Hello,
I thought I would post to mention that I've been chasing the same issue with CatalystIT - some Samba developers we pay for support with - and they can confirm this is a Samba problem. Samba did not implement certain parts of the BackupKey Remote Protocol
(MS-BKRP). They are working on a patch, hopefully it will be included in some 4.2.x branch.
February 12th, 2015 5:29am
I had similar problem. Fresh Windows 8.1 installation and user account (administrator) working with Samba domain controler. Credential manager also didn't work with 0x80090345 error. But my real problem occured in one of the administrative tools: users and
computers in active directory. It worked well exluding one: i coudn't change users passwords. I got message about delegation (mentioned above) every time i tried to change password.
On the other 8.1 station it works well. What is the difference? KB3000850.
On problematic computer it is installed. On working one, it is not. That is what I know for now.
February 25th, 2015 6:15am
ITLMAX: thanks for the heads up!
The problem seems to be fixed in Samba 4.2 (released today) according to this bug tracker: https://bugzilla.samba.org/show_bug.cgi?id=11097
March 4th, 2015 4:52pm
Ok, same problem here.
Moved my Windows 8.1 clients to a new domain, Domain Controller is a QNAP NAS and so Samba based.
I removed KB3000850 on the client, one reboot and Windows Update installed the Patch again.
Second try, I disabled Windows Update, removed the Patch, reboot - again reinstalled by Windows Update and so still the Credential Manager problem.
So Patch is in Download Cache of Windows Update - how I solve this problem?
Remove the whole Windows Update Cache or is there a smarter solution available?
Best regards
Bernd
April 27th, 2015 6:17am
I've uninstalled KB2992611
and KB3000850 but
am still getting this error. Are there any other newer updates that need to be uninstalled until this is solved?. There seems very little about this error on the net given the widespead issues it is causing?
May 29th, 2015 2:49am
Hi, I had the same issue on a new Windows 8.1 PC.
After going down the path of uninstalling and reinstalling batches of updates, it now seems to be working.
The odd thing is that it is now working with all updates reinstalled. I don't know if Microsoft pulled one of their updates?
May 29th, 2015 8:45am
Just to add to this..
Credential Manager now works in my admin domain account (along with the local account).
This still doesn't work in multiple user domain account.
I've also removed the roaming profile from the PC and re-downloaded. Also, I've uninstalled the latest 9 updates with no success
May 29th, 2015 9:04am
Hi everyone, I find something else today, i was trying to made a new install of Windows 8.1 today. I try to install every update one by one. 3 of thoses update is wrong with Zentyal 4.1 - KB3000850 - KB2992611 - KB3038562 If this will help you. I know
is not a real solution. Thanks Cdric
June 10th, 2015 2:09pm
Hi everyone, I find something else today, i was trying to made a new install of Windows 8.1 today. I try to install every update one by one. 3 of thoses update is wrong with Zentyal 4.1 - KB3000850 - KB2992611 - KB3038562 If this will help you. I know
is not a real solution. Thanks Cdric
-
Proposed as answer by
Windows Administrator 8,843,133,981
Thursday, June 18, 2015 4:54 AM
June 10th, 2015 6:07pm
Hi everyone, I find something else today, i was trying to made a new install of Windows 8.1 today. I try to install every update one by one. 3 of thoses update is wrong with Zentyal 4.1 - KB3000850 - KB2992611 - KB3038562 If this will help you. I know
is not a real solution. Thanks Cdric
-
Proposed as answer by
Windows Administrator 8,843,133,981
Thursday, June 18, 2015 4:54 AM
June 10th, 2015 6:07pm
Hi everyone, I find something else today, i was trying to made a new install of Windows 8.1 today. I try to install every update one by one. 3 of thoses update is wrong with Zentyal 4.1 - KB3000850 - KB2992611 - KB3038562 If this will help you. I know
is not a real solution. Thanks Cdric
-
Proposed as answer by
Windows Administrator 8,843,133,981
Thursday, June 18, 2015 4:54 AM
June 10th, 2015 6:07pm
Hi everyone, I find something else today, i was trying to made a new install of Windows 8.1 today. I try to install every update one by one. 3 of thoses update is wrong with Zentyal 4.1 - KB3000850 - KB2992611 - KB3038562 If this will help you. I know
is not a real solution. Thanks Cdric
-
Proposed as answer by
Windows Administrator 8,843,133,981
Thursday, June 18, 2015 4:54 AM
June 10th, 2015 6:07pm
Hi I am facing the same error and I check my update as well there is no KB2992611 security update but I still stuck. Can you help me abt that how to resolv this?
July 2nd, 2015 6:58am
Hi everyone, I find something else today, i was trying to made a new install of Windows 8.1 today. I try to install every update one by one. 3 of thoses update is wrong with Zentyal 4.1 - KB3000850 - KB2992611 - KB3038562 If this will help you.
I know is not a real solution. Thanks Cdric
The same behavior on Windows 2012 R2 (which "resembles" Windows 8.1) terminal server connected to AD domain controller on Samba in Ubuntu 14.04 Samba (4.1.6+dfsg).
A few months ago on another Windows 2012 R2 terminal server removing only two first updates had helped.
Today removing KB3000850 and KB2992611 on different server (connected to another Ubuntu/Samba 4.1.6+dfsg based AD) did not help but after we additionally removed KB3038562 we could add account in outlook.
Since there seems to be samba bug also pointed above (https://bugzilla.samba.org/show_bug.cgi?id=11097), we will try it and let you know.
-
Edited by
paworz
22 hours 13 minutes ago
July 7th, 2015 3:47am
Hi everyone, I find something else today, i was trying to made a new install of Windows 8.1 today. I try to install every update one by one. 3 of thoses update is wrong with Zentyal 4.1 - KB3000850 - KB2992611 - KB3038562 If this will help you.
I know is not a real solution. Thanks Cdric
The same behavior on Windows 2012 R2 (which "resembles" Windows 8.1) terminal server connected to AD domain controller on Samba in Ubuntu 14.04 Samba (4.1.6+dfsg).
A few months ago on another Windows 2012 R2 terminal server removing only two first updates had helped.
Today removing KB3000850 and KB2992611 on different server (connected to another Ubuntu/Samba 4.1.6+dfsg based AD) did not help but after we additionally removed KB3038562 we could add account in outlook.
Since there seems to be samba bug also pointed above (https://bugzilla.samba.org/show_bug.cgi?id=11097), we will try it and let you know.
-
Edited by
paworz
Tuesday, July 07, 2015 9:11 AM
July 7th, 2015 7:46am
Hi everyone, I find something else today, i was trying to made a new install of Windows 8.1 today. I try to install every update one by one. 3 of thoses update is wrong with Zentyal 4.1 - KB3000850 - KB2992611 - KB3038562 If this will help you.
I know is not a real solution. Thanks Cdric
The same behavior on Windows 2012 R2 (which "resembles" Windows 8.1) terminal server connected to AD domain controller on Samba in Ubuntu 14.04 Samba (4.1.6+dfsg).
A few months ago on another Windows 2012 R2 terminal server removing only two first updates had helped.
Today removing KB3000850 and KB2992611 on different server (connected to another Ubuntu/Samba 4.1.6+dfsg based AD) did not help but after we additionally removed KB3038562 we could add account in outlook.
Since there seems to be samba bug also pointed above (https://bugzilla.samba.org/show_bug.cgi?id=11097), we will try it and let you know.
-
Edited by
paworz
Tuesday, July 07, 2015 9:11 AM
July 7th, 2015 7:46am
Hello,
Just to add that if you do manage to upgrade Samba to 4.2 it is still possible to hit the same symptoms again. There is some sort of key stored in the Samba DC that has to be removed as well. It can be removed using an LDIF file:
dn: CN=BCKUPKEY_PREFERRED Secret,CN=System,DC=example,DC=com
changetype: delete
Executing the above LDIF against your Samba's LDAP tree will delete that entry and it will regenerate automatically.
July 10th, 2015 7:21am
Just resolved this issue with no necessity to remove KB3000850.
At KB3000850 page has a workaround that works.
The ProtectionPolicy value must be a DWORD.
Workaround
To work around this problem, set the value of the ProtectionPolicy registry
entry to 1 to
enable local backup of the MasterKey instead of requiring a RWDC in the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
August 5th, 2015 11:35am
THANK YOU! You have no idea the lengths I've gone to fix this. Was the KB3000850 recently updated with that info?
August 10th, 2015 12:39pm
Thank you very much. 2 days wasted until i found this answer, Chrome sync wasn't working, VS 2013 or the mail client
-
Edited by
Robert Tobescu
18 hours 40 minutes ago
August 27th, 2015 8:43am
Thank you very much. 2 days wasted until i found this answer, Chrome sync wasn't working, VS 2013 or the mail client
-
Edited by
Robert Tobescu
Thursday, August 27, 2015 12:42 PM
August 27th, 2015 12:42pm