none
Certificate Based Authentication failure RRS feed

  • Question

  • Hi,

    Trying to run the SetDpmServer on a workgroup server to start protect the server using CBA.

    The Bin file created during the CBA configuration setup on the DPM server is placed in the BIN catalouge on the workgroup server and DPM server. I'm using the same CA to create certificate for the DPM server and the workgroup server, the CBA setup on the DPM server side worked great.

    I recive the following error:

    Error(Id= 33234), Details : The certificate provided with thumbprint 1B575FA00A9
    5EFC9F8635D13C60F9E611A5D3F3E on the personal machine store of machine WIN-D92DP
    0LRVOG does not correspond to the requirements of DPM.
    The following requirements are not met for the certificate.
    The certificate is not trusted on the local machine.

    Please make sure certificate fulfills the following requirements:
    1) The certificate is trusted on the local machine and has not expired.
    2) The revocation servers of the associated Certificate Authorities are online.

    3) The certificate has an associated private key with a valid exchange algorithm
    .
    4) The certificate's public key length is greater than or equal to 1024 bits.
    5) The certificate should have both Server and Client Authentication if Enhanced
     Key Usage is enabled.
    6) The subject of the certificate and its root CA should not be empty.
    7) DPM does not support certificates with Cryptography API Next Generation (CNG)
     keys.
    For more details see help.
    SetDpmServer failed with errorcode =0x809909b4, error says: (null)
    To further troubleshoot failures with SetDpmServer, go to  http://go.microsoft.c
    om/fwlink/?LinkId=169142

    All prerequisites are met and the as I mentioned it worked great for the DPM Server.


    Best Regards

    Robert Hedblom

    MVP DPM


    Check out my DPM blog @ http://robertanddpm.blogspot.com


    Thursday, May 31, 2012 10:40 AM
    Moderator

All replies

  • The following requirements are not met for the certificate.
    The certificate is not trusted on the local machine.

    Did you add the root certificate from the CA server where the DPM server live to the Root CA Store on the workgroup server , if you open the certificate can you see the chain as trusted ?

    at least in beta you needed to revoke at least one certificate to get the CRL present

    Thursday, May 31, 2012 5:32 PM
    Moderator
  • Can you independently verify that the CRL is accessible from the Workgroup computer?

    And also what Flemming is suggesting.


    This posting is provided "AS IS" with no warranties, and confers no rights

    Thursday, May 31, 2012 9:41 PM
  • Hello,

    Most likely its access to the CRL that is blocked since the cert worked in other computers in the domain. 
    Since this is in a workgroup it may be port blockage. If using the integrated firewall you can check the firewall logs.

    Shane


    Regards, Shane. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, June 1, 2012 3:20 PM