| Posted by: Lemonde - 12 June 2020 15:03:33 |
|---|
|
We haVe been seeing this in our RDS server at user logon:
Log Name: Application
Source: Microsoft-Windows-CAPI2
Date: 29/05/2020 19:03:41
Event ID: 513
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: %computername%.domain.local
Description:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
System Error:
Access is denied.
.
Event Xml:
|
| Posted by: sirclesadmin - 18 November 2020 17:45:42 |
|---|
| From [b]szz743 [/b]user on Microsoft Answers: "Microsoft Link-Layer Discovery Protocol" binary is located in \Windows\system32\DRIVERS\mslldp.sys The registry key is here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp During a VSS backup process running as NETWORK_SERVICE, the account calls cryptcatsvc!CSystemWriter::AddLegacyDriverFiles(), which enumerates all the drivers records in Service Control Manager database and tries to open each of them, one at a time. The function fails on MSLLDP record with an [i]Access is Denied[/i] error. It fails because the MSLLDP driver security permissions don't allow the NETWORK_SERVICE access to the driver record. The binary security descriptor for the record is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp\Security Use SC.EXE and Sysinternals' ACCESSCHK.EXE to fix it: The original security descriptor looked like this: >accesschk.exe -c mslldp mslldp RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators RW S-1-5-32-549 <- these are server operators R NT SERVICE\NlaSvc No service account is allowed to access MSLLDP driver The security descriptor for the drivers that were processed successfully looked this way: >accesschk.exe -c mup mup RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators R NT AUTHORITY\INTERACTIVE R NT AUTHORITY\SERVICE <- this gives access to services How to add access rights for NT AUTHORITY\SERVICE to MSLLDP service: 1. Run: SC sdshow MSLLDP You'll get something like below (SDDL language is documented on MSDN): D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 2. Run: SC sdshow MUP You'll get: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 3. Take NT AUTHORITY\ SERVICE entry, which is (A;;CCLCSWLOCRRC;;;SU) and add it to the original MSLLDP security descriptor properly, right before the last S:(AU... group. 4. Apply the new security descriptor to MSLLDP service : sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 5. Check the result: >accesschk.exe -c mslldp mslldp RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators RW S-1-5-32-549 R NT SERVICE\NlaSvc R NT AUTHORITY\SERVICE |