So you have been to Richard’s blog at http://blogging.dragon.org.uk/samba4-ad-dc-on-ubuntu-14-04/ and you now have a running Linux ADDS but your windows Store no longer works and throws one of the 2 following errors:

  • Windows Store Error – Unable to download apps – “Try that again” Error Code 0x8004804e
  • HRESULT Exception 0x80070520

The first one you will see on windows 8.1 more often than not. On windows 10 you won’t be able to add your Microsoft account when clicking Start > Settings > Accounts. It will bomb out when you try to log it in. You will also find that on both Windows 8, 8.1 and 10 you can’t log OneDrive in.

After much searching and digging in logs plus going over the winstore log and not finding an answer, I stumbled across a post in the Microsoft forums where people where having problems on Windows ADDS Windows Forum Post. This thread was a huge help as it directed me to the actual problem which was the Credential Manager permissions for the users. The windows Store uses the credential manager to store its credentials.

So whats happening where is your friendly windows workstation is attempting to store your winstore credentials in AD and your friendly Linux ADDS has no idea what to do about that.

The following site details a rather manual way to fix this problem (under the heading of NT4 style domain controllers. https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains

However the best way to ensure this works everywhere as you would expect (on your workstations) is to add it to new group policy (I guess you could add it to the default domain policy if you want).

So let’s get this fixed

The registry setting you will be pushing out is

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
“ProtectionPolicy”=dword:00000001

***If your familiar with this process you can finish reading now, for those of you needing further assistance please read on.

1. Open Group Policy Management
2. Now create a new registry item by right clicking in the left hand panel
3. Create new policy
4. Click Computer Configuration > Preferences > Windows Settings > Registry

LinuxADDSandWinstore-registry-1

5. Fill in the details

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
“ProtectionPolicy”=dword:00000001

LinuxADDSandWinstore-registry-2

6. Then save (Apply then Ok)

Apply this policy to the OU where you’re keeping your Workstations.

You will now want to do a gpupdate /force on your workstation and you’re done.