The Windows Cryptographic Service Provider reported an error

Report · Nov 20, 2025

I don’t know if this is the right channel since this is a very technical topic; if this is not the correct place, I would appreciate information about where to ask this question.

My company has developed a CSP (Microsoft Cryptographic Service Provider) and a CNG KSP (Key Storage Provider) that perform signatures using keys stored by one of our products. Both the CSP and the KSP work correctly, but when I try to sign in Acrobat using a certificate associated with the CSP, it works fine; however, when I use a certificate associated with the KSP, nothing happens and no error is shown when pressing the Sign button.

If I disable the “modern user interface” checkbox, it gives us a clue about the problem because it displays the following error:

The Windows Cryptographic Service Provider reported an error:
Access is denied.
Error Code: 2147942405

I followed these instructions but the error still appears:
https://helpx.adobe.com/es/acrobat/kb/windows-cryptographic-service-provider-error-214794205.html

In my KSP logs I can see that it only executes the GetKeyStorageInterface and OpenProvider methods, but it does not call any other method.

Only if I disable the “Enable Protected Mode at startup” checkbox does the KSP work correctly, but we cannot force our users to do this. I tried enabling the “Create Protected Mode log file” option, but it does not show any error related to the KSP.

Any idea how to find out the cause of the error or a possible solution?

Thank you very much.

Report · Nov 22, 2025

@Angelic_personalityB838 Your company's new key system (KSP) works perfectly outside of Adobe Acrobat. The problem is that Acrobat has a built-in security guard, called Protected Mode, which is too strict. This guard doesn't recognize your new system and thinks it's a stranger, so it blocks it from doing the final, necessary steps to create a signature. When you turn the guard off, everything works, but that makes the computer less safe.

The simple fix is to tell Acrobat's security guard, "This system is safe!" You need to find the specific files that run your company's key system and add their location to Acrobat's "Trusted List" (called Privileged Locations). This acts like a special pass that lets your KSP bypass the strict security barrier, allowing it to complete the signature without turning off Protected Mode for everyone.

Report · Nov 25, 2025

Thank you very much for the response.

I’ve tried adding all the files and paths that make up the KSP or are related to it to the "Privileged Locations" list. I even tried adding the C:\ path, but it still shows the error.

Isn’t there any way to find out why it doesn’t trust the component?

Report · Nov 25, 2025

Hi @Angelic_personalityB838,

Hope you are doing well. Sorry for the trouble with using KSPs with Acrobat.

One reason that comes to mind is the algorithm the key might be using.

Typically, tokens use the legacy SHA-1, which is now obsolete and can cause conflicts with the Acrobat's checker.

If that is the case, you may want to check with the issuer to have this changed to SHA-256 or higher.

Next, if you are using a physical key, please check if the drivers have been updated by the issuer to the latest version for the best results.

Please let us know if you have addressed both of the above scenarios and are still experiencing the issue.

Additionally, please share a screen recording of the entire event to facilitate a better understanding and further assistance.

Look forward to hearing from you.

Regards,
Souvik.