Cryptographic errors
Published 31 July 2019
When using the SQL Change Automation PowerShell cmdlets, there is a chance you will have errors related to a DisallowedCryptographicOperation, or cryptographic exceptions. This page explains how to troubleshoot such issues.
DisallowedCryptographicOperation
This error looks like the following:
'A cryptographic operation was refused by the operating system. This is related to windows error -2146892987, which says 'the computer must be trusted for delegation and the current user account must be configured to allow delegation.'
This is an error produced by the operating system when SQL Change Automation PowerShell attempts to use the Windows Data Protection API (DPAPI).
You can read more about this error on the Windows Support website.
According to the article, the issue is related to the Domain Controller context the PowerShell cmdlets are running in. The DPAPI only works consistently in a Read Write Domain Controller context. If your cmdlets are running in the context of a Read Only Domain Controller, which can cause the problem.
Because this is essentially an environmental issue and not directly related to SQL Change Automation PowerShell, we encourage you to study the article to resolve the issue yourself. More resources are listed at the bottom of this page.
Other cryptographic errors
If you encounter other cryptographic errors different to the DisallowedCryptographicOperation, then it's likely that the issue is related to the environment the PowerShell cmdlets are running in. Please study the error message carefully and attempt to diagnose the issue yourself.
If you're unable to find a solution to these environmental issues, contact Redgate support.
Resources
- Windows Support
- Windows Data Protection API (DPAPI)
- -2146892987 Error details