DPM 2012R2 - UR5. Certificate-based authentication - The certificate is not trusted on the local machine

Hi

I'm trying to set up certificate-based authentication to DPM protect an MSSQL Clustered database that is in an untrusted domain. But this fails with:

PS C:\> Set-DPMCredentials -DPMServerName myDpmServer -Type Certificate -Action Configure -O
utputFilePath c:\tmp -Thumbprint xxxx -Verbose
VERBOSE: Configures DPM server myDpmServer for certificate-based authentication.
Set-DPMCredentials : The certificate provided with thumbprint xxxx
C35 on the personal machine store of machine myDpmServer does not correspond to the require
ments of DPM.
The following requirements are not met for the certificate.
The certificate is not trusted on the local machine.
 (ID: 33234)
Please make sure certificate fulfills the following requirements:
1) The certificate is trusted on the local machine and has not expired.
2) The revocation servers of the associated Certificate Authorities are online.
3) The certificate has an associated private key with a valid exchange algorithm.
4) The certificate's public key length is greater than or equal to 1024 bits.
5) The certificate should have both Server and Client Authentication if Enhanced Key Usage is enabl
ed.
6) The subject of the certificate and its root CA should not be empty.
7) DPM does not support certificates with Cryptography API Next Generation (CNG) keys.
For more details see help.
At line:1 char:1
+ Set-DPMCredentials -DPMServerName myDpmServer -Type Certificate -Action  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-DPMCredentials], DlsException
    + FullyQualifiedErrorId : InvalidCertificate,Microsoft.Internal.EnterpriseStorage.Dls.UI.Cmdle
   t.Common.SetDPMCredentialsCmdlet
PS C:\>


I have gone trough (several times) the certificate requirements described in:

http://blogs.technet.com/b/dpm/archive/2012/07/23/dpm-certificate-troubleshooting-part-1-general-troubleshooting.aspx

https://technet.microsoft.com/nb-no/library/hh757942.aspx

http://blogs.technet.com/b/dpm/archive/2012/04/23/how-to-use-certificates-to-authenticate-computers-in-workgroups-or-untrusted-domains-with-data-protection-manager.aspx

I'm not able to find out why this fails. Do anyone have other ideas on how I can find the root cause on this failure?

Br. Rune

June 29th, 2015 3:38am

Hi,

Verify that the systems can access the CRL Revocation list using system account.

Download PSEXEC tool from www.sysinternals.com.
Open an administrative command prompt, and type psexec s cmd
Type certutil verify urlfetch yourcert.cer >result.txt
Look at the result and fix any problems found.

Free Windows Admin Tool Kit Click here and download it now
June 29th, 2015 2:53pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics