Applies To:
  • CitectSCADA 5.21 Service Pack C to 5.42 Service Pack A
  • CitectHMI 5.21 Service Pack C to 5.42 Service Pack A

When logged in as a normal user without Administrator privileges then CitectSCADA runtime takes around 20 minutes to start up  


This is NOT an issue with the Sentinel driver but for OEM licensing CitectSCADA uses the Microsoft Cryptographic Application Programming Interface (CryptoAPI). What is happening is that CitectSCADA tries to open the cryptographic container in the Local Machine key set of the Windows Registry:


If it does not exist, it creates one there. A normal user does NOT have access to the cryptographic container, so it returns false and sets a BAD_KEYSET error flag. Once this fails, CitectSCADA then creates the key under Current User, which of course succeeds immediately.

There are several options available in resolving this issue:

I.  If you have CitectSCADA versions 5.30r0 Service Pack A to v5.42r0, you can set the following CITECT.INI parameter: 


However, in CitectSCADA v5.50 or later this parameter is enabled by default.

II.  When logged in as an Administrator, change the user's privilege level to Administrator, and then log into CitectSCADA as that particular user and run CitectSCADA. Next, while logged in as that user, change the privilege level back to the desired level (e.g. Power User, User). You will then need to log out of CitectSCADA and back in for these changes to take effect. You should be able to run CitectSCADA as that particular user from that point forward.

III.  Assign Full Control permissions to every user that is required to access the cryptographic container, without having to add them in the Administrators group. Of course, you must be logged in having administrative privileges to do this. The way to do this will depend on the operating system being used, so the following are instructions for Win2000 and WinXP:


Windows 2000:

1.  In Windows Explorer, access the following directory:

    <Drive>:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

Note: These are hidden files. To view these files and folders, you must select the Show hidden files and folders radio button in Tools menu | Folder Options... | View tab.

2.  Right-click on the MachineKeys folder and click on Properties.

3.  Click on the Security tab.

4.  Click on the Add... button.

5.  Select the appropriate domain or computer name in the Look in: dropdown list.

6.  Add the user(s) needing access to the container, making sure each user has Full Control permissions to it.

7.  Click on the Advanced... button. The Permissions tab is selected for you.

8.  Enable the Reset permissions on all child objects and enable propagation of inheritable permissions check box.

Optional: You may wish to limit a user's Full Control permissions to only the files (machine keys) by clicking on the View/Edit... button and selecting the Files only list item in the Apply onto: dropdown list.


Windows XP:

1.  In Windows Explorer, access the following directory: 
    <Drive>:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Note: These are hidden files. To view these files and folders, you must select the Show hidden files and folders radio button in Tools menu | Folder Options... | View tab.
2.  Right-click on the MachineKeys folder and click on Properties.

3.  Click on the Security tab.

4.  Click on the Add... button.

5.  Select the appropriate domain or computer name from the Locations... button.

6.  Click on the Advanced... button.

7.  Click on the Find Now button. Select the needed users and click OK twice, once for each Select Users or Groups window.

8.  Make sure every user you selected has Full Control permissions.

9.  Click on the Advanced button. Enable the following check boxes on the Permission tab (which is selected for you):

     c Inherit from parent the permission entries that apply to child objects.
     Include these with entries explicitly defined here.

    c Replace permission entries on all child objects with entries shown here that apply to child objects.

V.  Probably the least desirable (if not impractical) of these options is to give every user administrative privileges