How to use certificates to authenticate computers in workgroups or untrusted domains with Data Protection Manager
System Center Data Protection Manager 2010 supports protection of computers in workgroups and untrusted domains using local accounts and NTLM, however in scenarios where an organization does not allow creation of local accounts this solution does not work.
System Center 2012 Data Protection Manager (DPM) now allows you to use certificates to authenticate computers in workgroups or untrusted domains. DPM supports the following data sources for certificate-based authentication when they are not in trusted domains:
- SQL Server
- File server
DPM also supports these data sources in clustered deployments.
The following data sources are not supported:
- Exchange Server
- Client computers
- SharePoint Server
- Bare Metal Recovery
- System State
- End user recovery of file and SQL
- Protection between a Primary DPM server and Secondary DPM server using certs. The Primary DPM server and Secondary DPM server need to be in the same domain or mutually trusted domain. Certificate based authentication between a Primary and Secondary DPM servers is not supported.
The purpose of this article is to provide you with a walkthrough of setting up System Center 2012 Data Protection Manager and a protected server with certificate authentication. This process will cover four phases:
- Obtaining and configuring a cert for the DPM server
- Obtaining and configuring a cert for the protected server
- Running the setdpmserver command on the protected server
- Running the attach command on the DPM server
We are operating under the following assumptions:
1. An existing Certificate Authority (CA) and Certificate Revocation List (CRL) are already installed, online and the proper template is configured for web enrollment. See Appendix A for the steps used to create a template and enable it for web enrollment. You can request a certificate in many ways, such as using the MMC if the template is Enrolled, or via Autoenroll with Active Directory. Information on configuring the template for Enrollment or Autoenrollment can be found in Appendix B.
2. DPM is installed, healthy and functioning in the domain.
First we will have to generate a certificate with the following parameters:
- X.509 V3 certificate
- Enhance Key Usage should have client authentication and server authentication
- Key length should be at least 1024 bits
- Key type should be exchange
- Certificate can NOT be self-signed
- Subject name of the certificate and root certificate should not be empty
- Certificates shouldn’t be of Cryptography API Next Generation (CNG) Keys. DPM doesn’t support certificates with CNG Keys
- The revocation servers of the associated Certificate Authorities are online and accessible by both the protected server and DPM server
- The certificate has an associated private key
These options for the template are configured on the CA for us to be able to request them.
Phase 1: Install a certificate on the DPM server
In this phase, we will request a certificate from a Certificate Authority. Once complete, the default location where the certificate is kept is the User store. This is important to note, as we will need to export this certificate from the User store to the Local Computer store for us to use it. In the example provided below, we will request the certificate via web enrollment.
1. We request a certificate from a CA.
2. Select “advanced certificate request”.
3. Select “Create and Submit a request to this CA”.
4. A certificate template has already been created with the following parameters as mentioned above. In this case the template name is DPM Authentication. The highlighted areas below will need to be completed.
Certificate Template: Created on the CA for us to choose for web enrollment.
Name: You must specify a name. Any descriptive name will do.
Key size: This selection must be at least 1024 or higher.
Mark Key as exportable. This must be selected.
Friendly Name. You must specify a name. Any descriptive name will do.
5. Select “Install this certificate”.
6.) As mentioned the certificate is placed in the User store and we need to export and import it to the Local Computer Personal store. As such lets go ahead and add the mmc snap-in for both stores.
Verify that the certificate is in the User store. Here we see the User personal store has the certificate.
7. Move the installed certificate from the User store to the Local Computer store. This involves exporting the certificate from the User store and importing the certificate into the Local Computer store.
Exporting the certificate
Right-click the certificate and select “all tasks” then “export”. The Export wizard will start, select “next”. Select “Yes, export the private key”, then “next”.
In the next screen except the defaults and then “next”.
Supply a password then select “next”.
The next screen you will have to give the export cert a file name and a location.
You will note the extension of the file is *.pfx. Select “next”.
Here you can see the export choices. Select “Finish”.
Importing the Certificate
In the Local Computer\Personal\certificate store, right-click Certificate, All Tasks and then Import.
Select “Next” on the welcome screen. The File to import screen comes up.
Browse to the location where you saved the certificate. Click the drop-down and select “All files”, or select *.pfx in order to see the certificate that you exported.
Next you will be prompted to input the password that you used to export the certificate. Make sure to select “Mark this key as exportable”.
You can select the default to “Place all certificates in the following store”
Select “Next” and you will now see the “Completing the Certificate Import Wizard”.
8. Now that the certificate has been created and placed into the right store, we will use PowerShell to set the DPM credentials to use the certificate. Before we do that we will need to obtain the thumbprint created for this certificate. Go to the certificate in the Local Computer\Personal\certificates store. Note the certificate now imported there. Double-click on it. Select the “Details” tab and scroll down to the thumbprint. Click the thumbprint and in the bottom pane you will see the thumbprint in use. You will have to highlight the thumbprint and copy (Ctrl+c).
Paste the thumbprint into Notepad and remove the spaces as such. This is a very important step as we will supply the thumbprint in our next step. Any spaces present in the thumbprint will cause the command to fail.
9. We will be using the thumbprint to set the DPM credentials. The syntax will be as follows:
Set-DPMCredentials –DPMServerName DPM2012.contoso.com –Type Certificate –Action Configure –OutputFilePath C:\Temp -Thumbprint 493f27f35b2105804afbd49bb5a59bf2e380e00
NOTE The syntax above will have DPM create a *.bin file that will need to be copied to the clients we are protecting. Take note of the syntax above, specifically the c:\Temp directory. A directory needs to exist ahead of time in order for the bin file to be saved to that location. You can name the directory anything you want. In this case we created one named C:\Temp.
10. Once this is done you will go to the C:\Temp directory and retrieve that bin file and copy it to the client server. Copy it to the C:\Program Files\Microsoft Data Protection Manager\DPM\bin directory. It’s not mandatory to copy the file to the bin directory if you do not you will need to specify the full path of the file as a value for “-DPMcredential” parameter.
Phase 2: Installing the certificate on the client
On the client we will assume that the DPM agent is already installed.
This method will be the same as it was for the DPM server and we
will select the same certificate parameters as listed above. For clarity I will go over them again for the client side.
1. On the client via web enrollment “request a certificate”
2. Submit an advanced certificate request:
3. Select to “Create and submit a request to this CA
4.During the request we specify the following
5. We then choose to install the certificate. Once done, we need to open up an MMC and add the certificate snap-in for both current user and local computer. Remember that by default the certificate will be installed into the current user store.
We will need to export the certificate and import it into the Local Computer personal store. You can use the steps above to export the certificate as we did for the DPM server. Make sure to choose “Yes export the private key”. Once it’s exported, please import that certificate into the Local Computer store.
Phase 3: Running the setdpmserver command on the protected computer
We will now configure the protected server to recognize the DPM server as being authorized to perform backups. The DPM agent will need to be installed on the protected server before we run the setdpmserver command. If the agent is not already installed, this can be done via the DPM installation media. From the DPM media, launch setup.exe. From the DPM launch screen, choose Install DPM Protection Agent. This will install the files needed to run SetDPMServer.
Now that we have a certificate on the client server to be protected, we will need the thumbprint from the certificate properties.
1. Open up the certificate in the computer personal store that was imported and go to the details tab.
Here we will need the thumbprint of the protected server certificate. Copy the thumbprint and paste it into Notepad. Once done, remove the spaces as in the example below:
We will have to use this output as a parameter for the setdpmserver command.
2. Open a command prompt and navigate to the C:\Program Files\Microsoft Data Protection Manger\DPM\bin directory. Here we will use the following syntax:
setdpmserver –dpmCredential CertificateConfiguration_DPM01.contoso.com.bin –OutputFilePath c:\Temp -Thumbprint <ClientThumbprintWithNoSpaces>
Successful results will be displayed as below:
”CertificateConfiguration_DPM01.contoso.com.bin” is the name of the bin file copied from the DPM server to the client server. Just like on the DPM server, you will have to create or use an already existing directory for the client to save it’s bin file. This bin file, once created, will be placed on the DPM server.
NOTE During the System Center 2012 Data Protection Manager beta, if you did not have the firewall turned on during this command then you would get the following error:
This is no longer an issue in the RTM release of System Center 2012 Data Protection Manager.
3. Go to the C:\Temp directory to retrieve the .bin file created and copy it to the DPM server. Again, you can copy this file to any location on the DPM server but you will need to specify the full path for the ‘PSCredentials” parameter. By default, “Attach-ProductionServerwithCertificate.ps1” checks for the file in the Windows\System32 directory. If you copy the file to this directory then you can specify the filename instead of the full path.
Phase 4: Attach the Client from the DPM server
This is done not via the DPM agent management tab but rather by PowerShell. With the .bin file created by the client copied from the client to the DPM server, we will now open PowerShell and perform the attach. Once the .bin file from the client is saved to DPM, open up PowerShell and type the following command, then hit Enter:
You will see the following prompting you for values:
Supply values for the following parameters:
NOTE The PSCredentials is asking for the name of the bin file created by the client. Specify the full path unless you copied the bin file to Windows\system32 directory.
IMPORTANT Upon running the Attach-ProductionServerWithCertificate.ps1 command, it is important that you specify the protected server created *.bin file. If you specify the DPM server *.bin file then you will remove all of the protected servers configured for certificate based authentication.
The attach should be completed with no issues and the protected server should show up in the DPM GUI.
NOTE If you do not place the file in the \system32 directory and you do not specify the full path then you will see the warning below.
Appendix A: Creating the DPM certificate template
To create a DPM template for web enrollment, we can copy an existing template from within the “Certificate Templates” snap-in on the Certificate Authority. We will need to pick one that is listed as client authentication and server authentication for intended purposes.
In this example above, the “RAS and IAS Server” template is selected. It is highlighted and we select “Duplicate Template”. We will be prompted for a selection as below:
Leave the default at Windows Server 2003 Enterprise and click OK. Change the Template display name to something distinguishable. In this example we have chosen “DPM Authentication” as the template display name.
There also needs to be a check in the check box for “Publish certificate in Active Directory”. In the Request Handling tab, the Allow private key to be exported should be selected.
Now that we’ve created a new template for DPM authentication, we now need to make the certificate template available for use. Open the Certificate Authority snap-in.
Right-click on “Certificate Templates” and select “New” then choose “Certificate Template to Issue”.
Once this is done you will be provided with a selection of certificate templates to chose from. Select the template we created and click OK.
Appendix B: Configuring the DPM Template for Enrollment or AutoEnrollment
During the creation of the DPM certificate template, you can optionally configure it for Enrollment or Autoenrollment.
a. Selecting Enroll will allow it for selection via MMC.
b. Selecting Autoenroll will allow the certificate to be automatically assigned to computers in the domain.
For Enrollment, if the request will be done directly through the MMC (much easier method), then use Build from this Active Directory information radio button. Change the drop down to use Common name, and the check the box for DNS name. Click OK to accept that.
Only if using the MMC method to request the certificate. go to the Security tab and select Enroll for Authenticated Users. Once done, close out the certificate properties.
Optionally, if Autoenroll is selected, this certificate will be automatically assigned to computers in the domain.
Now that the choice has been made to Enroll the certificates, we should now be able to request the certificate via the MMC. On a server to be protected, in the Certificates (Local Computer) snap-in, expand the Personal store and right click “certificates”. Select “All tasks” then “Request New Certificate”
You should see the certificate enrollment wizard initialized.
Select “Next” and you should see the choice to select “Active Directory Enrollment Policy”.
Select “Next”. You should now see our template that we created as a selection.
You can expand the “Details” and see the properties.
When the properties page opens, select the “General” tab and give it a friendly name. In this example we give it the name of “DPM AuthTest”
Once you select Apply, select Next and you should see a confirmation that the certificate is installed successfully.
Go back to the Certificate Computer personal store and double click on the certificate. Select the “Certificate Path” tab. You can see the friendly name of “DPM AuthTest”
You have now requested a certificate for DPM use via MMC instead of web enrollment.
Shane Brasher | Senior Support Escalation Engineer
Get the latest System Center news on Facebook and Twitter :