Windows Server 2016 CAPI2 Event ID 513 - Microsoft Community

hello,

we have new, windows server 2016 installation shows event id 513 "error" every time windows backup runs, follow:

cryptographic services failed while processing onidentity() call in system writer object.

details:

addlegacydriverfiles: unable image of binary microsoft link-layer discovery protocol.

system error:

access denied

i found below solution in threat 2014 windows 8/8.1 and ask if solution new windows 2016 too?   if not appreciated.

here goes:

"microsoft link-layer discovery protocol" binary \windows\system32\drivers\mslldp.sys
config registry key hkey_local_machine\system\currentcontrolset\services\mslldp
 
during backup vss process running under network_service account calls cryptcatsvc!csystemwriter::addlegacydriverfiles(), enumerates drivers , tries opening each 1 of them. , function fails on mslldp driver "access denied" error.
 
turned out fails because mslldp driver's security permissions not allow network_service access driver.
 
binary security descriptor driver located here:
hkey_local_machine\system\currentcontrolset\services\mslldp\security
 
should modified, used sc.exe , sysinternals' accesschk.exe fix it.
 
original security descriptor looked below:
 
> accesschk.exe -c mslldp
mslldp
  rw nt authority\system
  rw builtin\administrators
  rw s-1-5-32-549       <- these server operators
  r  nt service\nlasvc
 
no service account allowed access mslldp driver
 
security descriptor drivers processed looked way:
 
> accesschk.exe -c mup
mup
  rw nt authority\system
  rw builtin\administrators
  r  nt authority\interactive
  r  nt authority\service  <- gives access services
 
how add access rights nt authority\service mslldp service:
 
1. run: sc sdshow mslldp
you'll below (sddl language documented on msdn):
 
d:(d;;ccdclcswrpwpdtlocrsdrcwdwo;;;bg)(a;;ccdclcswrpwpdtlocrsdrcwdwo;;;sy)(a;;ccdclcswrpdtlocrsdrcwdwo;;;ba)(a;;ccdclcswrpwpdtlocrsdrcwdwo;;;so)(a;;lcrpwp;;;s-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)s:(au;fa;ccdclcswrpwpdtlocrsdrcwdwo;;;wd)
 
2. run: sc sdshow mup
you'll get:
 
d:(a;;cclcswrpwpdtlocrrc;;;sy)(a;;ccdclcswrpwpdtlocrsdrcwdwo;;;ba)(a;;cclcswlocrrc;;;iu)(a;;cclcswlocrrc;;;su)s:(au;fa;ccdclcswrpwpdtlocrsdrcwdwo;;;wd)
 

********* important *********************************************************

make sure command parameters in 1 line without carriage returns , line feeds opposed way see them in these instructions! (i.e. switch off word wrapping etc. when copy , paste through editor)

****************************************************************************

3. take nt authority\ service entry, (a;;cclcswlocrrc;;;su) , add original mslldp security descriptor properly, right before last s:(au... group. 
 
4. apply new security descriptor mslldp service (make sure command in 1 line!!!):
 
sc sdset mslldp d:(d;;ccdclcswrpwpdtlocrsdrcwdwo;;;bg)(a;;ccdclcswrpwpdtlocrsdrcwdwo;;;sy)(a;;ccdclcswrpdtlocrsdrcwdwo;;;ba)(a;;ccdclcswrpwpdtlocrsdrcwdwo;;;so)(a;;lcrpwp;;;s-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(a;;cclcswlocrrc;;;su)s:(au;fa;ccdclcswrpwpdtlocrsdrcwdwo;;;wd)

5. check result:
 
> accesschk.exe -c mslldp
mslldp
  rw nt authority\system
  rw builtin\administrators
  rw s-1-5-32-549
  r  nt service\nlasvc
  r  nt authority\service
 
6. run backup app, error gone home server backup.
!!! not forget use security descriptor mslldp driver since guess there can rare cases when different machine. not copy sddl descriptions, in case. , backup old descriptor in case !!!

hi,

your question beyond scope of these forums

kindly post question in technet server forums.

http://social.technet.microsoft.com/forums/windowsserver/en-us/home?category=windowsserver

technet forums:

https://social.technet.microsoft.com/forums/en-us/home

msdn forums:

https://social.msdn.microsoft.com/forums/en-us/home

cheers.

Windows / Other/Unknown