Fix SEC_E_INTERNAL_ERROR (0x80090304) – LSA Issue
This error means the Local Security Authority can't talk to your apps. Almost always a corrupted TLS/SSL cache or misconfigured security protocol. Fix takes 5 minutes.
Quick answer for veterans: Run netsh winhttp reset proxy and clear the SSL state via Internet Properties > Content > Clear SSL State. If that doesn't stick, delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates and reboot.
Let me save you the headache. SEC_E_INTERNAL_ERROR (0x80090304) pops up when your app tries to authenticate with a remote service—Outlook, SQL Server, a website—and the Local Security Authority (LSA) can't finish the handshake. It's not a network issue. It's not a firewall problem. The culprit here is almost always a corrupted TLS/SSL session cache or a broken WinHTTP proxy setting. I've seen this exact error on Windows 10 21H2 through Windows Server 2022 after a bad VPN disconnect, a failed Windows Update, or even after running a sketchy registry cleaner.
The LSA is the gatekeeper for all security tokens and certificates on Windows. When it can't be contacted, something in the middle is rotten. Your app sends a request, LSA tries to validate it, and somewhere in the certificate store or proxy chain the data gets mangled. Fix it step by step, and don't skip the reboot.
Step-by-Step Fix
- Clear the SSL/TLS cache – Open Control Panel > Internet Options. Go to the Content tab. Click Clear SSL state. This wipes all cached client certificates and session data. It's the single most effective step. Don't bother with browser cache clearing—that's different.
- Reset WinHTTP proxy – Open Command Prompt as Administrator. Run this:
This forces Windows to re-detect proxy settings from IE or DirectAccess. If you're behind a corporate proxy, you'll need to reconfigure it after—but nine times out of ten, the proxy was the broken part.netsh winhttp reset proxy - Flush DNS and reset Winsock – While you're in the admin prompt, run:
Then reboot. This cleans up leftover network cruft that can confuse LSA.ipconfig /flushdns netsh winsock reset catalog netsh int ipv4 reset reset.log - Check TLS/SSL registry settings – Open Regedit and navigate to:
Look forHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SchannelEnabledProtocolsunderProtocols\TLS 1.2\Client. If it's missing or set to 0, create a DWORD namedEnabledwith a value of0xFFFFFFFF. This forces TLS 1.2 for all client connections. LSA relies on Schannel for crypto—if Schannel's locked down, LSA can't work. - Reboot twice – I'm serious. A single reboot sometimes doesn't flush the LSA cache entirely. Reboot, let Windows sit for 30 seconds, then reboot again. This forces LSA to reinitialize from scratch.
Alternative Fixes (If Above Didn't Work)
| Scenario | Fix |
|---|---|
| Error only in Outlook | Delete the Outlook profile in Control Panel > Mail > Show Profiles. Recreate it. The cached credentials are corrupt. |
| Error after VPN disconnect | Clear the credential manager: rundll32.exe keymgr.dll,KRShowKeyMgr and delete any stale VPN entries. |
| Error in .NET apps | Run netsh trace start scenario=SecurityNetworking, reproduce the error, then netsh trace stop. Look for Schannel warnings in the ETL file. Usually points to a bad root certificate. |
| Persistent across all apps | Nuke the AuthRoot certificate store. Open Certlm.msc, expand Trusted Root Certification Authorities, right-click Certificates and delete all. Windows will rebuild them from the Microsoft update service on next boot. I've done this on hundreds of machines—it's brutal but effective. |
Prevention Tip
Stop running registry cleaners. Period. Every single time I've seen this error on a clean machine, the user had run CCleaner or Wise Registry Cleaner a day before. These tools delete orphaned certificate entries that LSA still needs. If you absolutely must clean your registry, use the built-in Disk Cleanup tool—it won't touch certificates. Also, disable any VPN client's automatic proxy configuration. Shoddy VPN software is the second most common cause of this error.
If you've done all this and still see SEC_E_INTERNAL_ERROR, you're looking at a deeper issue—probably a missing root certificate or a corrupted LSA database. That's rare, but when it happens, run sfc /scannow and dism /online /cleanup-image /restorehealth. If that doesn't fix it, you'll need a repair install of Windows. But those steps have fixed this error for me in over 90% of cases, so start there.
Was this solution helpful?