Peer-to-Peer Framework APIs return a "PEER_E_NO_KEY_ACCESS" error message

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article has been archived. It is offered "as is" and will no longer be updated.
Symptoms
When you use the Advanced Networking Pack for Windows XP and the optional Windows XP Peer-to-Peer Networking Component, you may receive the following error message from a peer-to-peer grouping or from the identity management API:
PEER_E_NO_KEY_ACCESS
Additionally, the peer-to-peer framework may not work as expected.
Cause
This behavior may occur if the permissions on the corresponding folder that contains the Rivest, Shamir, and Adelman (RSA) keys are modified by a user or program so that operations for the current security context are not permitted on that folder.

A peer framework API may return the "PEER_E_NO_KEY_ACCESS" error (for example, PeerIdentityCreate and PeerGroupCreate) when the security context where the API is invoked does not have access to the folder where the RSA keys for the specified account are stored.
Resolution
To resolve this behavior, do one or both of the following, as appropriate to your situation:

Warning Make sure that you have a good understanding of access control in Windows before you perform the procedures in this article. Incorrectly modifying the access control list (ACL) of the folders that contain the RSA keys may result in security issues and may also result in unpredictable behavior in programs that are running on the computer.

Assign the User Account Full Control Permissions to the Folder

For processes that run in a security context that is associated with a Windows user account, the RSA keys are stored in the following folder, where Drive is the drive where Windows is installed and UserSID is the security ID (SID) of the user:
Drive:\Documents and Settings\UserName\Application Data\Microsoft\Crypto\RSA\UserSID
To resolve this behavior, assign the user account Full Control permissions to the folder. To do so:
  1. Start Windows Explorer, and then locate the following folder, where Drive is the drive where Windows is installed and UserSID is the security ID (SID) of the user:
    Drive:\Documents and Settings\UserName\Application Data\Microsoft\Crypto\RSA\UserSID
  2. Right-click the folder, and then click Properties.
  3. Click the Security tab.
  4. Do one of the following, as appropriate to your situation:
    • If the user appears in the Group or user names list, click the user. In the Permissions for User list, click to select the Full Control check box, and then click OK.
    • If the user does not appear in the Group or user names list, click Add. In the Select Users or Group dialog box, type the name of the user who you want to add, and then click OK. In the Permissions for User list, click to select the Full Control check box, and then click OK.
Note You can also use the Cacls.exe command-line utility to modify the ACL on the folder. For more information about how to use Cacls, see Windows XP Help and Support. To do so, click Start, and then click Help and Support. In the Search box, type cacls, and then press ENTER.

Assign the Everyone Group Appropriate Permissions to the Folder

For processes that run as a Windows service in the LocalService, NetworkService, or LocalSystem contexts, the RSA keys are created in the following folder, where Drive is the drive where Windows is installed:
Drive:\Documents and Settings\AllUsers\Application Data\Microsoft\Crypto\RSA\MachineKeys folder.

Note In some cases, the Drive:\Documents and Settings\AllUsers\Application Data\Microsoft\Crypto\RSA\MachineKeys folder is missing. In this situation, use the following method:
  1. Manually create a new folder that is called MachineKeys.
  2. Apply the permissions as outlined above.
To resolve this behavior, assign the Everyone group the following permissions to the folder:
Read
Write
List Folder/Read Data
Read Attributes
Read Extended Attributes
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Read Permissions
Synchronize
To do so:
  1. Start Windows Explorer, and then locate the following folder, where Drive is the drive where Windows is installed:
    Drive:\Documents and Settings\AllUsers\Application Data\Microsoft\Crypto\RSA\MachineKeys folder.
  2. Right-click the folder, and then click Properties.
  3. Click the Security tab.
  4. In the Group or user names list, click Everyone, and then in the Permissions for Everyone list, click to select the check boxes under Allow for each of the permissions in the list earlier in this article.

    Note To assign special permissions, click Advanced under Permissions for Everyone, click Edit, and then click to select the check boxes under Allow for each special permission that you want to assign.
  5. Click OK.
Additionally, when incorrect permissions are set on the MachineKeys folder, the registration of an address by using Peer-to-Peer Name Resolution Protocol (PNRP) may not work correctly. In this situation, you may receive a generic "WSA failure" error message. To troubleshoot this behavior, make sure that the Everyone group has appropriate permissions to the MachineKeys folder.
More information
For additional information about the Advanced Networking Pack for Windows XP and the Windows XP Peer-to-Peer Networking Component, click the following article number to view the article in the Microsoft Knowledge Base:
817778 Overview of the Advanced Networking Pack for Windows XP
Properties

Article ID: 817754 - Last Review: 01/12/2015 21:39:37 - Revision: 4.0

  • Microsoft Windows XP Tablet PC Edition
  • kbnosurvey kbarchive kbprb KB817754
Feedback