none
The client and server cannot communicate, because they do not possess a common algorithm (0x80090331)) RRS feed

  • Question

  • Hi looking for help on the following issue.  I am attempting to use certificate authentication to backup both file and SQL data across forests using SCDPM 2016 with update Rollup 4 applied. I am running this on a Server 2016 server to backup data on a Server 2012 R2 server. I succesffully configured the certificates and added the clients to the server. I am able to create a protection group and expand the volumes and select the data sets I would like to backup.  When I initiate the backup, I see events in the client side event viewer that indicate the backup successfully begins. However no data is transferred and after 8 minutes, the backup fails with the message below. 

    Affected area: ServerName\DBNAME
    Occurred since: 3/28/2018 12:01:56 PM
    Description: The replica of SQL Server 2016 database ServerName\DBNAME on Server.domain.local is inconsistent with the protected data source. All protection activities for data source will fail until the replica is synchronized with consistency check. You can recover data from existing recovery points, but new recovery points cannot be created until the replica is consistent. 

    For SharePoint farm, recovery points will continue getting created with the databases that are consistent. To backup inconsistent databases, run a consistency check on the farm. (ID 3106)
    The DPM service was unable to communicate with the protection agent on Server.domain.local. (ID 52 Details: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331))

    In addition I am seeing an error in tha CAPI2 log:

    Result The certificate's CN name does not match the passed value.
    [ value]

    800B010F

    And on the client I see an Schannel Error:

    An unknown connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

    I have verified that the certificate on the Server side and Client side both have the CN equal to the FQDN of the respective servers and the other information messages in the log seem to indicate that the chain policy is valid.  

    The certificates use a template from a clone of the "RAS and IAS Server" template provided with windows.  I have tried changing the provider from "Microsoft RSA SChannel Cryptographic  Provider" to "Microsoft Strong Cryptographic Provider" and re-registering both the client and server with no luck. 

    There are no GP policies limiting the available Ciphers from the default settings as far as I am aware, but I am open to further verification.  

    Are there any known cipher mismatchs between Server 2016 and Server 2012 R2? or is this a red herring and there is some other underlying issue?  

    Thanks for your help.

    Wednesday, March 28, 2018 6:46 PM

All replies