DPM 2012 sp1 crashes when I try to encrypt a tape RRS feed

  • Question

  • I have DPM 2012 SP1 running nicely.

    I want to encrypt my tapes. I have a CA so I followed this procedure to create a new template and issue a certificate with key to the DPM server.

    I don't have IIS on my DPM server, and don't really want to install it so I want to get a certificate from my Windows 2008 R2 CA.

    I have reproduced on two servers with two different tape drives, so I don't think it is hardware related.

    When I add encryption to a protection group, about 1 minute after the tape backup starts DPM crashes:

    There is an event 999

    The description for Event ID 999 from source MSDPM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    An unexpected error caused a failure for process 'msdpm'.  Restart the DPM process 'msdpm'.

    Problem Details:

    <FatalServiceError><__System><ID>19</ID><Seq>768</Seq><TimeCreated>01/05/2013 11:14:53</TimeCreated><Source>DpmThreadPool.cs</Source><Line>163</Line><HasError>True</HasError></__System><ExceptionType>CryptographicException</ExceptionType><ExceptionMessage>Invalid provider type specified.

    </ExceptionMessage><ExceptionDetails>System.Security.Cryptography.CryptographicException: Invalid provider type specified.

       at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)

       at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle&amp; safeProvHandle, SafeKeyHandle&amp; safeKeyHandle)

       at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()

       at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)

       at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()

       at Microsoft.Internal.EnterpriseStorage.Dls.EngineUICommon.EncryptionHelper.DecryptSessionKey(X509Certificate2 x509Cert, Byte[] encryptedSessionKey)

       at Microsoft.Internal.EnterpriseStorage.Dls.EngineUICommon.EncryptionHelper.RetriveSessionKey(EnvelopeType mtaEnvelope, String storeName)

       at Microsoft.Internal.EnterpriseStorage.Dls.EngineUICommon.EncryptionHelper.GetSessionKey(EnvelopeType mtaEnvelope, Boolean recovery)

       at Microsoft.Internal.EnterpriseStorage.Dls.MMUtils.TaskHelper.GetSessionKey(String omid, Boolean isForRead)

       at Microsoft.Internal.EnterpriseStorage.Dls.MMInterface.MMBackupLoop.SendMTAPerformIO(Message msg)

       at Microsoft.Internal.EnterpriseStorage.Dls.MMInterface.MMBackupLoop.CheckIsWriteOMIDNeeded(Message msg)

       at Microsoft.Internal.EnterpriseStorage.Dls.TaskExecutor.Fsm.ConnectionPoint.Execute(Message msg)

       at Microsoft.Internal.EnterpriseStorage.Dls.TaskExecutor.Fsm.Engine.ChangeState(Message msg)

       at Microsoft.Internal.EnterpriseStorage.Dls.TaskExecutor.TaskInstance.Process(Object dummy)

       at Microsoft.Internal.EnterpriseStorage.Dls.TaskExecutor.FsmThreadFunction.Function(Object taskThreadContextObj)

       at System.Threading.ExecutionContext.runTryCode(Object userData)

       at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)

       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)

       at System.Threading._ThreadPoolWaitCallback.PerformWaitCallbackInternal(_ThreadPoolWaitCallback tpWaitCallBack)

       at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback(Object state)</ExceptionDetails></FatalServiceError>


    the message resource is present but the message is not found in the string/message table

    and :

    The DPM service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 100 milliseconds: Restart the service.

    If I remove the encryption it works again.


    Wednesday, May 1, 2013 11:40 AM


  • OK Solved this:

    Two thinks not clear in the documentation : if you are using your own Windows 2008 R2 CA or 2012 CA and want to create a new template for DPM (instead of using the standard webserver template), so that for example you can limit access to this certificate to your DPM servers.

    The template must be a Windows 2003 (nor 2008) type certificate template (don't ask why I don't know).

    You must import the certificate into BOTH the DPM Backup AND the DPM Restore certificate store in order to do a backup to a tape that has been encrypted.

    If you don't have the certificate in both stores OR you have a 2008 certificate, DPM crashes.

    Microsoft - perhaps we can have a documentation update and a more elegant warning if the wrong kind of certificate is used. Self signed is not really a good solution in this day and age, as more and more applications and web browsers won't accept them.

    Perhaps someone better informed than I can validate this answer.


    Thursday, May 2, 2013 8:43 AM