This article has been archived. It is offered "as is" and will no longer be updated.
After you upgrade a computer from Windows XP to Windows Vista, you cannot send or receive encrypted Microsoft Message Queuing, also known as MSMQ, 4.0 messages. The attempts to send or to receive encrypted Message Queuing messages fail. Additionally, you receive the following error message:
0x80090016 "The key container could not be opened".
This problem occurs because the Message Queuing service is unable to access the machine key files that are required by the CryptAcquireContext function. The Message Queuing service in Windows XP runs under the context of the Local System account. The Message Queuing service in Windows Vista runs under the context of the Network Service account. However, the Network Service account does not have the necessary rights to access the machine key files that are required by the CryptAcquireContext function.
To resolve this problem, follow these steps:
Grant the Network Service account the Full Control permission to the required machine key files. To do this, follow these steps:
Log on to the computer that is running Windows Vista by using an account that is a member of the local Administrators group.
In Windows Explorer, click Folder and Search Options on the Organize menu.
In Folder Options, click the View tab, click the Show hidden files and folders option, and then click OK.
Locate the drive:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder.
Locate the files that begin with the following:
Grant the Network Service account the Full Control permissions to these files. To do this, follow these steps:
Right-click the file, and then click Properties.
Click the Security tab. If you are prompted for an administrator password or for a confirmation, type the password or click Continue.
Click Edit, click Add, type Network Service, click Check Names, and then click OK.
In the Group or user names list, click Network Service.
Click to select the Allow check box that is next to the Full Control permission, and then click OK.
Renew cryptographic keys for Message Queuing. To do this, follow these steps:
Click Start, click Run, type compmgmt.msc in the Open box, and then click OK. If you are prompted for an administrator password or for a confirmation, type the password or click Continue.
In the Computer Management console, expand Services and Applications, right-click Message Queuing, and then click Properties.
In the Message Queuing Properties dialog box, click the Service Security tab, and then under Cryptographic keys, click Renew.
A warning message will be displayed to indicate that received messages may be encrypted by using a cryptographic key that differs from the one that is used on the computer. You will be unable to read this kind of message. You will be asked whether you want to continue. If it is acceptable, click Yes. If it is unacceptable, click No, and then renew the cryptographic key at some other time.