GlobalProtect App not connecting to the gateway with error messsage "encrypt memory failed with error -2146892987" in PanGPS.log
1529
Created On 05/19/22 01:12 AM - Last Modified 10/28/25 16:42 PM
Symptom
- GP App stuck in "connecting to the gateway".
- PanGPS.log shows an error to write the configuration file.
(P5084-T7320)Error( 466): 05/12/22 15:10:49:467 encrypt memory failed with error -2146892987 (P5084-T7320)Dump ( 263): 05/12/22 15:10:49:469 User profile unloaded (P5084-T7320)Error( 336): 05/12/22 15:10:49:469 pan_write_text_to_file(): failed to encrypt conent. File C:\Program Files\Palo Alto Networks\GlobalProtect\PanPortalCfgCriteria_5fe350629ba8d19e5610cf71b85c9893.dat is not written. (P5084-T7320)Error( 364): 05/12/22 15:10:49:469 Failed to save portal config criteria to file C:\Program Files\Palo Alto Networks\GlobalProtect\PanPortalCfgCriteria_5fe350629ba8d19e5610cf71b85c9893.dat.
Environment
- GlobalProtect (GP) App on Windows
- Supported GP App versions
Cause
- The 'error -2146892987' from the GlobalProtect logs matches: 0x80090345 -2146892987 SEC_E_DELEGATION_REQUIRED The requested operation cannot be completed.
- The issue has been identified to be a Windows/System issue.
Resolution
- As a workaround, a registry key. HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb can be changed.
- Refer Microsoft Documentation - DPAPI Masterkey Backup Failures for changing the registry key.
Additional Information
-
Note: Communication with domain controllers is necessary to obtain the keys required for encrypting and decrypting the DPAPI files. In environments where GP enforcer is used, the machine might attempt to communicate with a domain controller that isn't included in the GP enforcement exceptions list.
Please ensure all DCS are added to the GP enforcement exception list to prevent this error.