Error: "0xFFFFFA27 internal error" when logging in

  • 7024100
  • 03-Sep-2019
  • 05-Feb-2020

Environment

Client for Open Enterprise Server 2 SP4

Situation

After installing Client for OES 2 SP4 (various IRs), an error will be seen when attempting to login. The error is  0xFFFFA27 internal error

Problem occurs only on certain hardware platforms. It has been reportedly seen on:

Dell Latitude 3190 laptop 
Lenovo N24 laptop
ADSTEC VMT 9000 Series
Acer Spin B

Rolling back to NICI 2.x allows the login to succeed.
Disabling NMAS allows the login to succeed.

Resolution

While the ultimate fix will be a change to OpenSSL, the workaround is to set this environment variable:

set OPENSSL_ia32cap=:~0x20000000

NOTE: The leading colon character is an intentional and required part of this environment variable value. This colon character, as well as the tilde character that follows it, must be included when setting the environment variable's value.

Without the variable set the login attempt fails with 0xFFFFFA27; and with the variable set the login attempt will succeed.

In order to make this variable be in effect all of the time, including for the pre-logon Client for Open Enterprise Server credential provider login, the environment variable needs to be set in the Windows "System" control panel. This can be accomplished in one of three ways:

1. Using the Windows system dialog.
2. Using the command line.
3. Using the registry editor.


1. Using the Windows system dialog

Click on the "Start" icon
Click on the "Settings" icon
In Settings, open the System section
In the System section, select the About page
in the About page, select the System info link
In the System Info page, select the Advanced System Settings link
In the Advanced tab, select the Environment Variables link
In the Environment Variables page, from the System Variables section, select the "New" button
Define the new variable and its value
Variable name: OPENSSL_ia32cap
Value: :~0x20000000


2. Using the command line

Open an administrative ("Run as administrator") command prompt
Enter this command: 

setx OPENSSL_ia32cap :~0x20000000 /M


3. Edit the registry

a) From the command line

Open an administrative ("Run as administrator") command prompt
Enter this command:

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment /v OPENSSL_ia32cap /d :~0x20000000

OR

b) Use a .reg file

Create a .reg file with the following contents, and then run the .reg file from an administrative command prompt:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
"OPENSSL_ia32cap"=":~0x20000000"

Cause

The cause of the problem is an issue with OpenSSL causing in an incorrect SHA256 hash, resulting in NICI initialization failure.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.