On a computer that is running Windows Server 2008 or Windows Vista, the certificates and the cryptographic keys are unusable after the user password is changed on another network computer
On a computer that is running Windows Vista or Windows Server 2008, the certificates and the cryptographic keys may be unusable after the user password is changed on another network computer. This problem mainly affects portable computer users in the following general situation:
- The user locks and unlocks her home computer to update the password while she is connected to the corporate network through a virtual private network (VPN) connection.
- Then, the user disconnects from the corporate network.
In this scenario, all the certificates and private cryptographic keys on the computer are unusable until the user logs back on to the corporate network.
For example, consider the following specific scenario:
- You have two computers. One is at the office, and the other is at home.
- You change the domain password on the office computer.
- You log on to the home computer by using cached domain credentials. These cached credentials include the old password.
- You connect to the corporate network from the home computer through a VPN connection. In this scenario, you must lock and then unlock the computer to update the password.
- You use the new password to restart and log on to the computer (not the corporate network) again.
In this scenario, all the certificates and private cryptographic keys are unusable until you connect to the corporate network again. Additionally, if you run an application that calls the CryptAcquireContext function, you may receive an error message that resembles the following:
0x8009000b: Key not valid for use in specified state
For more information on this issue, including potential causes, workarounds, and resolutions, see: Microsoft KB Article KB961731.