SecureLogin was unable to determine Crytographic Service Provider

  • 7017930
  • 08-Aug-2016
  • 22-Sep-2016

Environment

NetIQ SecureLogin

NSL 8.1

Windows 7 workstations

Win 10 workstations (recently updated from Win7)

Win 10 with anniversary update applied

SecureLogin installed in AD mode

Situation

Error received upon launch of SecureLogin: 
"SecureLogin was unable to determine Crytographic Service Provider from Security Preferences"

SecureLogin won't load



Resolution

Solution 1: 

 

Replace slADCredMan (the SecureLogin credential provider for Active Directory) in the list of network credential providers.  Specifically, add slADCredMan (preferably at the beginning) of the ProviderOrder list in the registry of the failing workstations at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order

Then reboot.

 

Solution 2:

Create and run a .reg file that registers slADCredman as a network provider.  

To create the .reg file, copy the text below into notepad, save it, and then rename the file with a .reg extension.   

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\slADCredMan]
"DisplayName"="SecureLogin SSO"
"Group"="NetworkProvider"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\slADCredMan\NetworkProvider]
"Class"=dword:00000002
"Name"="SecureLogin SSO Credential Manager"

"ProviderPath"="C:\\Program Files\\NetIQ\\SecureLogin\\slcredman64.dll"

 

 

Import the regfile and reboot.

 

 

Solution 3:

Repair the installation of SecureLogin through Control Panel.

 

 

 


Cause

In this case the Windows 10 anniversary update  removed slADCredman from the network provider list, and  un-registered as a network provider.   Both solutions 1 and 2 were required.


Additional Information

Potential causes of this error message :

1.    A software installation that changed the network provider list and / or unregistered the SecureLogin network provider.  This happens with the anniversary update of Windows 10.  

2.   Some installers just overwrite what is in NetworkProvider\Order with the “default set” plus their own addition, thus deleting the NSL provider. 

3.   If logging in with a smart card, this error may indicate that the PKI (smart card) configuration has failed when being prepared for use as Non repudiation secondary key source.  

4.    Datastore authentication has fallen back to using Non repudiation secondary key source, in this case incorrectly using the PKI method instead of passphrase – due to slADCredman not correctly identifying if card is used.