×ñÞóôçò äåí åßíáé äõíáôü íá áðïêôÞóåé ðñüóâáóç óôç ëåéôïõñãéêüôçôá ôïõ ðéóôïðïéçôéêïý ìåôÜ ôçí áëëáãÞ ôïõ êùäéêïý ðñüóâáóçò Þ üôáí ÷ñçóéìïðïéåßôå ðñïößë ðåñéáãùãÞò

¼ôáí Ýíáò ÷ñÞóôçò ðñïóðáèåß íá ÷ñçóéìïðïéÞóåé ôï ðéóôïðïéçôéêü ëåéôïõñãéêüôçôá, áöïý ìðïñïýí íá áëëÜîïõí ôïí êùäéêü ðñüóâáóçò Þ üôáí ÷ñçóéìïðïéïýí Ýíá ðñïößë ðåñéáãùãÞò, áõôÜ åíäÝ÷åôáé íá ÷Üóåôå ôçí ðñüóâáóç óå áõôÞí ôç ëåéôïõñãßá ðéóôïðïéçôéêü. Ëåéôïõñãéêüôçôá ôïõ ðéóôïðïéçôéêïý ðïõ åíäÝ÷åôáé íá ìçí ëåéôïõñãïýí üðùò ðñéí ðåñéëáìâÜíåé ôá áêüëïõèá:

• Ðñüóâáóç óå áñ÷åßá ðïõ Ý÷ïõí êñõðôïãñáöçèåß ìå ôï óýóôçìá êñõðôïãñÜöçóçò áñ÷åßùí óõóôÞìáôïò (EFS)
• Ðñüóâáóç óå ìéá áóöáëÞ éóôïóåëßäá ðïõ áðáéôåß Ýëåã÷ï ôáõôüôçôáò ðéóôïðïéçôéêïý
• Ç õðïãñáöÞ çëåêôñïíéêïý ôá÷õäñïìåßïõ ìå ôçí áóöÜëéóç/Multipurpose Internet Mail Extensions (S/MIME)

ÊáôÜ ôçí ðñïóðÜèåéÜ ôïõò íá áðïêôÞóåé ðñüóâáóç óå ìéá áóöáëÞ ôïðïèåóßá Web, êáôáãñÜöåôáé ôï áêüëïõèï ìÞíõìá ëÜèïõò:

This problem occurs only if the client user account is in a Microsoft Windows NT 4.0 domain and if they are logged on to a Microsoft Windows XP Professional workstation. The Windows XP version of the Data Protection API (DPAPI) function helps to protect EFS private keys and other data that you want to keep secure. The recovery functionality of DPAPI is not supported for users who are members of domains that are running Microsoft Windows NT 4.0 and earlier.

To maintain client access to certificate functionality after users change their passwords or when they use roaming profiles, upgrade the domain to Active Directory directory service. Active Directory domains provide a mechanism that helps to protect the DPAPI master key with a public/private key pair. (The DPAPI master key is used to help protect EFS private keys and other certificate-based functions.)

In a Windows NT 4.0 domain, the ability to restore access to the certificate keys and data is located on the workstation. This is not the case in a Microsoft Windows 2000 domain. Because the recovery mechanism is not located on the workstation, Windows 2000 domains provide a significant additional level of protection for certificates if the workstation is physically compromised.

Although you only have to upgrade a single domain controller to take advantage of the DPAPI domain recovery mechanism, consider upgrading at least two domain controllers for fault-tolerance purposes.

It is highly recommended that you plan your Active Directory before you implement it. For more information about Active Directory design, visit the following Microsoft Web site:

To work around this problem, install Windows XP Service Pack 1 (SP1) or later on the client workstation, and then create the following registry entry to emulate Windows 2000 behavior.

ÓçìáíôéêüÁõôÞ åíüôçôá, ìÝèïäï Þ åñãáóßá ðåñéÝ÷åé âÞìáôá ðïõ èá óáò ðëçñïöïñÞóåé ðþò íá ôñïðïðïéÞóåôå ôï ìçôñþï. Ùóôüóï, åíäÝ÷åôáé íá ðñïêýøïõí óïâáñÜ ðñïâëÞìáôá åÜí äåí ôñïðïðïéÞóåôå óùóôÜ ôï ìçôñþï. ÊáôÜ óõíÝðåéá, âåâáéùèåßôå üôé áêïëïõèåßôå ðñïóåêôéêÜ ôá åîÞò âÞìáôá. Ãéá åðéðëÝïí ðñïóôáóßá, äçìéïõñãÞóôå áíôßãñáöá áóöáëåßáò ôïõ ìçôñþïõ ðñïôïý ôï ôñïðïðïéÞóåôå. Ìå áõôüí ôïí ôñüðï, ìðïñåßôå íá åðáíáöÝñåôå ôï ìçôñþï åÜí ðñïêýøåé ðñüâëçìá. Ãéá ðåñéóóüôåñåò ðëçñïöïñßåò ó÷åôéêÜ ìå ôïí ôñüðï äçìéïõñãßáò áíôéãñÜöùí áóöáëåßáò êáé åðáíáöïñÜò ôïõ ìçôñþïõ, êÜíôå êëéê óôïí áñéèìü ôïõ Üñèñïõ ðáñáêÜôù ãéá íá ðñïâÜëåôå ôï Üñèñï ôçò ÃíùóéáêÞò âÜóçò ôçò Microsoft:ÁêïëïõèÞóôå ôá åîÞò âÞìáôá êáé êáôüðéí êëåßóôå ôïí ÅðåîåñãáóôÞ Ìçôñþïõ (Registry Editor):

1. ÊÜíôå êëéêStartÊÜíôå êëéêÅêôÝëåóç, typeRegedit, êáé óôç óõíÝ÷åéá êÜíôå êëéê óôï êïõìðßOk.
2. Åíôïðßóôå êáé êáôüðéí êÜíôå êëéê óôï áêüëïõèï êëåéäß ìçôñþïõ:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
3. Óôï äéáêïìéóôÞÅðåîåñãáóôåßôå ôç äéáäñïìÞìåíïý, óçìåßïÍÝá, êáé óôç óõíÝ÷åéá êÜíôå êëéê óôï êïõìðßÔéìÞ DWORD.
4. TYPEMasterKeyLegacyNt4Domain, and then press ENTER.
5. Óôï äéáêïìéóôÞÅðåîåñãáóôåßôå ôç äéáäñïìÞìåíïý, êÜíôå êëéê óôï êïõìðßÔñïðïðïßçóç (Modify).
6. TYPE1, êáé óôç óõíÝ÷åéá êÜíôå êëéê óôï êïõìðßOk.

After you create this entry, the client will determine if the user is a member of a Windows NT 4.0 domain. If they are a member, the Windows XP client will emulate the Windows 2000 behavior, and DPAPI will give users with changed passwords access to their keys.

ÓÇÌÅÉÙÓÇIf you work around this problem by editing the registry, you only change the behavior that is described in the Symptoms section from the time that you make the registry change. Any password changes that were made before the change to the registry are not be undone and you will still receive an "access denied" error message when you open the EFS file.

Important security implications

Using this registry entry substantially decreases the security of a physically compromised computer. An attacker with physical access to the computer could access some or all EFS-encrypted files and any Certificate private keys on it.

Recover access to the files after a password change

To regain access to the certificate functionality on an individual workstation after a password change, change the password back to the password that was used when the files were last encrypted.

ÓÇÌÅÉÙÓÇThese steps only change the password that you use to log on to your computer. They do not change your domain password.

1. Log on to the computer as the user with the current password.
2. ÊÜíôå êëéêStart, êáé óôç óõíÝ÷åéá êÜíôå êëéê óôï êïõìðßÏ ðßíáêáò åëÝã÷ïõ.
3. Äéðëü êëéêËïãáñéáóìïß ÷ñçóôþí (User Accounts).
4. Click to select your user name.
5. ÊÜíôå êëéêReset password.
6. Type your original password in theNew passwordtext box, and then type the password in theConfirm new passwordText box. ÊÜíôå êëéêOk.
7. ÎåêéíÞóôå ðÜëé ôïí õðïëïãéóôÞ óáò.

ÁõôÞ ç óõìðåñéöïñÜ ïöåßëåôáé óôç ó÷åäßáóç.

The behavior that is described in the "Symptoms" section of this article applies only to users who are members of a Windows NT 4.0 domain and who log on to computers that run Windows XP. The behavior of Windows XP Professional clients that are members of a workgroup or of a Windows 2000 Active Directory domain differs significantly from the description in this article.

For more information about DPAPI in Windows XP, visit the following Microsoft Web site:For more information about troubleshooting DPAPI issues, including loss of access to a private key or EFS files, click the following article number to view the article in the Microsoft Knowledge Base: