Published 06 December 2018
When using the SQL Change Automation PowerShell cmdlets, there is a chance you may encounter errors related to a DisallowedCryptographicOperation, or cryptographic exceptions. This page explains how to troubleshoot such issues.
This error looks like the following:
'A cryptographic operation was refused by the operating system. This is related to windows error -2146892987, which says 'the computer must be trusted for delegation and the current user account must be configured to allow delegation.'
This is an error produced by the operating system when SQL Change Automation PowerShell attempts to use the Windows Data Protection API, known as the DPAPI.
You can read more about this error on the Windows Support website.
According to the article, the issue is related to the Domain Controller context the PowerShell cmdlets are running in. The DPAPI only works consistently in a Read Write Domain Controller context. If your cmdlets are running in the context of a Read Only Domain Controller, then that may be the cause of the problem.
Because this is essentially an environmental issue and not directly related to SQL Change Automation PowerShell, we encourage you to study the article to resolve the issue yourself. More resources are listed at the bottom of this page.
Other cryptographic errors
If you encounter other cryptographic errors different to the DisallowedCryptographicOperation, then it's likely that the issue is related to the environment the PowerShell cmdlets are running in. Please study the error message carefully and attempt to diagnose the issue yourself.
If you're unable to find a solution to these environmental issues, contact Redgate support.