Zune will not install certificate

Hi,

Trying to get Zune to recognize my LG Quantum after moving the domain-joined 64-bit Win7 PC to a different domain and migrating the user profile.

When I re-installed Zune and connected the phone, the drivers were installed and the phone shows up fine in Device Manager.

Followed all the steps in http://support.microsoft.com/kb/2468307. When I reconnect the phone, Zune creates the user SID folder under \RSA, but it does not create a certificate file. Uninstalling/reinstalling Zune didn't help.

I see some threads on connection issues here have 280+ replies and I admit I haven't read each one, but what I have read doesn't say what to do when Zune can't create a cert. Sure looks like a permissions issue to me, but what permissions are required? Starting Zune as admin didn't help. Same symptoms on a second Win7 laptop on the same domain.

Mark Berry
MCB Systems
Answer
Answer
I finally solved this.

With the help of ForensIT support (makers of the User Profile Wizard that I used to move my profile to the new domain), I discovered that my user did not have access to this registry key:

HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots

This was probably an aftereffect of copying the profile from the old domain. I took ownership of that key and added my user with the default Read access.

Next, I logged in to the desktop using a non-admin domain account that had never accessed the desktop. I was able to connect the phone to Zune with no problem. So the domain isn't the issue.

Finally, I logged back on with my primary account and set up Sysinternals' Procmon to watch the folder

C:\Users\MyUser\AppData\Roaming\Microsoft\Crypto\RSA

When I plugged in the phone and got the Connection Error message, I noticed that Zune was looking for files from a subdirectory I had created to store the old domain's files. The subdirectory had a name like this:

S-1-5-21-1234567899-1455154852-3583786612-1142.old - from old domain

So I went up one level, created an RSA.old folder, and moved all subfolders from RSA to RSA.old, leaving RSA as an empty folder. When I plugged in the phone, Zune immediately prompted me to unlock the phone and completed the connection. A new folder was created under RSA, and a new file appears in that folder. The Zune certificate also appears in CertMgr as a Personal certificate.

It seems Zune reads all subfolders of RSA checking for certificates, regardless of the user SID. Probably the presence of the old Zune cert in the old folder threw it off.

In summary, my solution:
  1. Click Start and in the search box enter %appdata% and then press Enter. On Windows XP, click  Start, then Run, enter %appdata% and press Enter.
  2. In the Windows Explorer window that opens, navigate to Microsoft\Crypto.
  3. Create an RSA.old subfolder.
  4. Click and drag to move all folders under RSA to RSA.old.
  5. As soon as you're done, open your Zune software and connect your phone to your computer. This creates a new certificate and folder under RSA.
  6. Click and drag to move all folders from RSA.old back to RSA. When asked, "Do you want to merge this folder?", click Yes. When asked, "Are you sure you want to move this system file?", check Do this for all current items and click Yes. If you are asked about overwriting a file, click No.
  7. Delete the RSA.old folder.
  8. Test connecting your device again.

I'd like to see that in KB 2468307, which incorrectly refers to "Application Data" instead of "AppData\Roaming". The only thing I can't confirm is whether non-domain computers have a Roaming subfolder?


Regards,


Mark Berry

MCB Systems


Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info


Last updated February 26, 2018 Views 324 Applies to: