OES 2015.1 – DSFW AD 2012 Schema
Servers were upgraded from OES 11.2 to OES 2015.1 – DSFW AD 2012Schema a while back. AD Schema was extended to 2012.

I am now receiving the following message when attempting to manage a user, create user, make a changed through ADUC (Active Directory Users & Computers) on a 2012R2 Server:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Title: Active Directory Domain Services
Windows cannot complete the password change for %%USERNAME%%
The Requested operation cannot be completed. The Computer must be trusted for delegation and the current user account must be configured to allow delegation.

Same thing happens trying to do it from command line:
dsmod user "CN=TEMPUSER,OU=STAFF,DC=MyDomain,DC=org" -pwd XXXXXXXXX -mustchpwd yes

I have confirmed (Even though I do not believe this is correct) the object / server has been marked as trusted for delegation.
I can make the changes on a 2008R2 Server with no issue (This server is not marked for delegation). As far as I know I was not having this issue prior to the updates?
I tried installing The Server Remote Tools on a new 2012 R2 Server, rebooting, logging in again. Same issue.
I can make all other changes in ADUC on 2012. Edit the user and all attributes. I can not update the password.

I have validated the Secpol.msc / domain policy’s to make sure an encryption or some other setting is not being applied. No “Security” related settings are being pushed.

Thinking it may have been related to the SHA1 material I went ahead and updated my OES CA / Certificate server to SHA2. Reissued all the certs, restarted all the servers.

This did not help
Enabled Netlogon Debug:
• Nltest /DBFlag:2080FFFF

This showed some basic stuff, however the best log that I have

Found is by enabling the DEBUG in event viewer for Crypto-DPAPI.

I see the following when attempting a password change:
~~~~~~~~~~~~~~~~~~~~~~~~~~
DPAPI Protect Failed.
Status: 0x80090345
ReasonForFailure: Could not get the master key

Source: Crypto-DPAPI
Event ID: 8197
~~~~~~~~~~~~~~~~~~~~~~~~~~
DPAPI Master Key File open Failed
File Name: Preferred
Access: 0x8000000

Source: Crypto-DPAPI
Event ID: 8194
~~~~~~~~~~~~~~~~~~~~~~~~
DPAPI Master Key File open Failed
File Name: BK-(MyNetBiosName)
Access: 0x8000000

Source: Crypto-DPAPI
Event ID: 8194
~~~~~~~~~~~~~~~~~~~~~~~~~~

As far as I can tell, the DPAPI (Data Protection API) is used to encrypt certain communications between servers. In this case the Password.

I did read about the following in multiple locations from Microsoft including MS14-066

https://support.microsoft.com/en-us/...sn-t-available

If I enable the mentioned registry key to backup the keys locally, it will work. However this is not recommended.


Any Ideas?

Oh yeah, All DSFW Scripts for checking the setup is working fine.

I do have a support request open, however have not heard back in a while

Service Request: 101141126281