Error: Must be configured to allow delegation

Hi everyone!

We have an offline-drop setup for a couple of deployments where we manually copy packages and deploy them using powershell on the servers. For the deploys we run the .CMD file that is autogenerated with no additional commands.

However we recently started getting errors everytime we try to deploy new packages.

##octopus[setVariable name=“T2N0b3B1cy5BY3Rpb24uU2NyaXB0LkV4aXRDb2Rl” value=“MA==”]
Exception calling “Protect” with “3” argument(s): "The requested operation cannot be completed. The computer must be tr
usted for delegation and the current user account must be configured to allow delegation.
At C:\Applications\Deploy packages\PROJECT\\Resources\Encrypt-WithMachineKey.ps1:9 char:9

  •     $SecureStr = [Security.Cryptography.ProtectedData]::Protect($ ...
  •     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : NotSpecified: (:slight_smile: [], MethodInvocationException
    • FullyQualifiedErrorId : CryptographicException

Exception calling “ToBase64String” with “1” argument(s): “Value cannot be null.
Parameter name: inArray”
At C:\Applications\Deploy packages\PROJECT\\Resources\Encrypt-WithMachineKey.ps1:10 char:9

  •     $SecureStrBase64 = [System.Convert]::ToBase64String($SecureSt ...
  •     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : NotSpecified: (:slight_smile: [], MethodInvocationException
    • FullyQualifiedErrorId : ArgumentNullException

Unhandled Exception: Calamari.Commands.Support.CommandException: Cannot decrypt output variables.
at Calamari.Integration.Processes.CalamariVariableDictionary.DecryptWithMachineKey(String base64EncodedEncryptedVariables, String password)
at Calamari.Integration.Processes.CalamariVariableDictionary…ctor(String storageFilePath, String sensitiveFilePath, String sensitiveFilePassword, String outputVariablesFilePath, String outputVariablesFilePassword)
at Calamari.Modules.CommonModule.Load(ContainerBuilder builder)
at Autofac.Module.Configure(IComponentRegistry componentRegistry)
at Autofac.ContainerBuilder.Build(IComponentRegistry componentRegistry, Boolean excludeDefaultModules)
at Autofac.ContainerBuilder.Build(ContainerBuildOptions options)
at Calamari.Program.Main(String[] args)


We tried what was suggested in this thread, changing in the registry, on all servers involved. Still no luck.

We do not have any secret / hidden variables for this project in the setup in Octopus.

Another thing to point out is that older versions in thie project can be released, but the last package built was made on 7 February 2018 (More than a year ago), since then we have not made any changes on the server or in Octopus for this project.

My best guess is that this started happening after some Octopus update. Unfortunately since it’s such a long time in between releases for this project it’s impossible for me to pin down which version this changed.

All ideas and help would be greatly appreciated!

Best Regards,

Hi Sebastian,

Thanks for getting in touch! This will be happening because the script is trying to us DPAPI when calling the Protect(...) method but something is wrong with the configuration of the machine or user. We have made changes to Offline Drops in the past, and if you don’t upgrade often or deploy often, it would be tricky to pin down!

I’ve only seen one case like this before, related to the Octopus Server Master Key which also uses DPAPI:

That thread has a suggested solution which appears to have helped the reporting user.

Alterntatively you may be able to change your Offline Drop Target configuration to remove the password - this is the switch we use to decide when encryption is required or not. We added that change as part of fixing this issue

You mentioned you don’t have any sensitive values, however sometimes your steps will have sensitive values inside them, not necessarily in the variables list itself. When you create the offline drop packages, Octopus will get upset if you have sensitive values somewhere, but no password.

Hope that helps!

Hi Mike,

Thank you for your reply!
The thread you linked was the same one I added in my original post, already tried that without success.

However, I read up on the sensitive variables link that you sent, we did not have a password set.
From what I understand the idea here is that I could set a password and it would potentially work(?).

I did set a password and tried deploying again but without luck, it did prompt me for the password but unfortunately still throwing the same exception.

So right now it looks like we’re back on square one…

Do you have any other ideas?


Hi Sebastian,

Thanks for keeping in touch! I’m sorry, I didn’t pay enough attention to your original post.

Can you try clearing the password from your Offline Drop target? We use the presence/absence of a password in the Offline Drop target to decide whether to encrypt all the variable values or leave them in clear text.

If that doesn’t work, I would like to investigate further. To do that, can you please send the following log files to

  1. The task log where the offline drop package is created
  2. The logs created when executing the offline drop
  3. Can you successfully execute the offline drop on a different machine? If so can you post those logs as well?

Hope that helps!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.