Peer-to-Peer Framework APIs return a "PEER_E_NO_KEY_ACCESS" error message

When you use the Advanced Networking Pack for Windows XP and the optional Windows XP Peer-to-Peer Networking Component, you may receive the following error message from a peer-to-peer grouping or from the identity management API: Additionally, the peer-to-peer framework may not work as expected.

This behavior may occur if the permissions on the corresponding folder that contains the Rivest, Shamir, and Adelman (RSA) keys are modified by a user or program so that operations for the current security context are not permitted on that folder.

A peer framework API may return the "PEER_E_NO_KEY_ACCESS" error (for example, PeerIdentityCreate and PeerGroupCreate) when the security context where the API is invoked does not have access to the folder where the RSA keys for the specified account are stored.

To resolve this behavior, do one or both of the following, as appropriate to your situation:

Warning Make sure that you have a good understanding of access control in Windows before you perform the procedures in this article. Incorrectly modifying the access control list (ACL) of the folders that contain the RSA keys may result in security issues and may also result in unpredictable behavior in programs that are running on the computer.

Assign the User Account Full Control Permissions to the Folder

For processes that run in a security context that is associated with a Windows user account, the RSA keys are stored in the following folder, where Drive is the drive where Windows is installed and UserSID is the security ID (SID) of the user: To resolve this behavior, assign the user account Full Control permissions to the folder. To do so:

1. Start Windows Explorer, and then locate the following folder, where Drive is the drive where Windows is installed and UserSID is the security ID (SID) of the user:
   Drive:\Documents and Settings\UserName\Application Data\Microsoft\Crypto\RSA\UserSID
2. Right-click the folder, and then click Properties.
3. Click the Security tab.
4. Do one of the following, as appropriate to your situation:
   • If the user appears in the Group or user names list, click the user. In the Permissions for User list, click to select the Full Control check box, and then click OK.
   • If the user does not appear in the Group or user names list, click Add. In the Select Users or Group dialog box, type the name of the user who you want to add, and then click OK. In the Permissions for User list, click to select the Full Control check box, and then click OK.

Note You can also use the Cacls.exe command-line utility to modify the ACL on the folder. For more information about how to use Cacls, see Windows XP Help and Support. To do so, click Start, and then click Help and Support. In the Search box, type cacls, and then press ENTER.

Assign the Everyone Group Appropriate Permissions to the Folder

For processes that run as a Windows service in the LocalService, NetworkService, or LocalSystem contexts, the RSA keys are created in the following folder, where Drive is the drive where Windows is installed:
Note In some cases, the Drive:\Documents and Settings\AllUsers\Application Data\Microsoft\Crypto\RSA\MachineKeys folder is missing. In this situation, use the following method:

1. Manually create a new folder that is called MachineKeys.
2. Apply the permissions as outlined above.

To resolve this behavior, assign the Everyone group the following permissions to the folder: To do so:

1. Start Windows Explorer, and then locate the following folder, where Drive is the drive where Windows is installed:
   Drive:\Documents and Settings\AllUsers\Application Data\Microsoft\Crypto\RSA\MachineKeys folder.
2. Right-click the folder, and then click Properties.
3. Click the Security tab.
4. In the Group or user names list, click Everyone, and then in the Permissions for Everyone list, click to select the check boxes under Allow for each of the permissions in the list earlier in this article.
   
   Note To assign special permissions, click Advanced under Permissions for Everyone, click Edit, and then click to select the check boxes under Allow for each special permission that you want to assign.
5. Click OK.

Additionally, when incorrect permissions are set on the MachineKeys folder, the registration of an address by using Peer-to-Peer Name Resolution Protocol (PNRP) may not work correctly. In this situation, you may receive a generic "WSA failure" error message. To troubleshoot this behavior, make sure that the Everyone group has appropriate permissions to the MachineKeys folder.

For additional information about the Advanced Networking Pack for Windows XP and the Windows XP Peer-to-Peer Networking Component, click the following article number to view the article in the Microsoft Knowledge Base: