How to use certificates to authenticate computers in workgroups or untrusted domains with Data Protection Manager - The Official System Center Data Protection Manager Team Blog - Site Home - TechNet Blogs

How to use certificates to authenticate computers in workgroups or untrusted domains with Data Protection Manager

How to use certificates to authenticate computers in workgroups or untrusted domains with Data Protection Manager

  • Comments 8
  • Likes


System Center Data Protection Manager 2010 supports protection of computers in workgroups and untrusted domains using local accounts and NTLM, however in scenarios where an organization does not allow creation of local accounts this solution does not work.

System Center 2012 Data Protection Manager (DPM) now allows you to use certificates to authenticate computers in workgroups or untrusted domains. DPM supports the following data sources for certificate-based authentication when they are not in trusted domains:

  • SQL Server
  • File server
  • Hyper-V

DPM also supports these data sources in clustered deployments.

The following data sources are not supported:

  • Exchange Server
  • Client computers
  • SharePoint Server
  • Bare Metal Recovery
  • System State
  • End user recovery of file and SQL
  • Protection between a Primary DPM server and Secondary DPM server using certs. The Primary DPM server and Secondary DPM server need to be in the same domain or mutually trusted domain. Certificate based authentication between a Primary and Secondary DPM servers is not supported.

The purpose of this article is to provide you with a walkthrough of setting up System Center 2012 Data Protection Manager and a protected server with certificate authentication. This process will cover four phases:

  1. Obtaining and configuring a cert for the DPM server
  2. Obtaining and configuring a cert for the protected server
  3. Running the setdpmserver command on the protected server
  4. Running the attach command on the DPM server

We are operating under the following assumptions:

1. An existing Certificate Authority (CA) and Certificate Revocation List (CRL) are already installed, online and the proper template is configured for web enrollment. See Appendix A for the steps used to create a template and enable it for web enrollment. You can request a certificate in many ways, such as using the MMC if the template is Enrolled, or via Autoenroll with Active Directory. Information on configuring the template for Enrollment or Autoenrollment can be found in Appendix B.

2. DPM is installed, healthy and functioning in the domain.

First we will have to generate a certificate with the following parameters:

  • X.509 V3 certificate
  • Enhance Key Usage should have client authentication and server authentication
  • Key length should be at least 1024 bits
  • Key type should be exchange
  • Certificate can NOT be self-signed
  • Subject name of the certificate and root certificate should not be empty
  • Certificates shouldn’t be of Cryptography API Next Generation (CNG) Keys. DPM doesn’t support certificates with CNG Keys
  • The revocation servers of the associated Certificate Authorities are online and accessible by both the protected server and DPM server
  • The certificate has an associated private key

These options for the template are configured on the CA for us to be able to request them.

Phase 1: Install a certificate on the DPM server

In this phase, we will request a certificate from a Certificate Authority. Once complete, the default location where the certificate is kept is the User store. This is important to note, as we will need to export this certificate from the User store to the Local Computer store for us to use it. In the example provided below, we will request the certificate via web enrollment.

1. We request a certificate from a CA.


2. Select “advanced certificate request”.


3. Select “Create and Submit a request to this CA”.


4. A certificate template has already been created with the following parameters as mentioned above. In this case the template name is DPM Authentication. The highlighted areas below will need to be completed.

Certificate Template: Created on the CA for us to choose for web enrollment.
Name: You must specify a name. Any descriptive name will do.
Key size: This selection must be at least 1024 or higher.
Mark Key as exportable: This must be selected.
Friendly Name: You must specify a name. Any descriptive name will do.


5. Select “Install this certificate”.


6.) As mentioned the certificate is placed in the User store and we need to export  and import it to the Local Computer Personal store.  As such lets go ahead and add the mmc snap-in for both stores.


Verify that the certificate is in the User store. Here we see the User personal store has the certificate.


7. Move the installed certificate from the User store to the Local Computer store. This involves exporting the certificate from the User store and importing the certificate into the Local Computer store.

Exporting the certificate


Right-click the certificate and select “all tasks” then “export”. The Export wizard will start, select “next”. Select “Yes, export the private key”, then “next”.


In the next screen except the defaults and then “next”.


Supply a password then select “next”.


The next screen you will have to give the export cert a file name and a location.


You will note the extension of the file is *.pfx. Select “next”.


Here you can see the export choices. Select “Finish”.

Importing the Certificate

In the Local Computer\Personal\certificate store, right-click Certificate, All Tasks and then Import.


Select “Next” on the welcome screen. The File to import screen comes up.


Browse to the location where you saved the certificate. Click the drop-down and select “All files”, or select *.pfx in order to see the certificate that you exported.


Next you will be prompted to input the password that you used to export the certificate. Make sure to select “Mark this key as exportable”.


You can select the default to “Place all certificates in the following store”


Select “Next” and you will now see the “Completing the Certificate Import Wizard”.


8. Now that the certificate has been created and placed into the right store, we will use PowerShell to set the DPM credentials to use the certificate. Before we do that we will need to obtain the thumbprint created for this certificate. Go to the certificate in the Local Computer\Personal\certificates store. Note the certificate now imported there. Double-click on it. Select the “Details” tab and scroll down to the thumbprint. Click the thumbprint and in the bottom pane you will see the thumbprint in use. You will have to highlight the thumbprint and copy (Ctrl+c).


Paste the thumbprint into Notepad and remove the spaces as such. This is a very important step as we will supply the thumbprint in our next step. Any spaces present in the thumbprint will cause the command to fail.


9. We will be using the thumbprint to set the DPM credentials. The syntax will be as follows:

Set-DPMCredentials –DPMServerName –Type Certificate –Action Configure –OutputFilePath C:\Temp -Thumbprint 493f27f35b2105804afbd49bb5a59bf2e380e00


NOTE The syntax above will have DPM create a *.bin file that will need to be copied to the clients we are protecting. Take note of the syntax above, specifically the c:\Temp directory. A directory needs to exist ahead of time in order for the bin file to be saved to that location. You can name the directory anything you want. In this case we created one named C:\Temp.

10. Once this is done you will go to the C:\Temp directory and retrieve that bin file and copy it to the client server. Copy it to the C:\Program Files\Microsoft Data Protection Manager\DPM\bin directory. It’s not mandatory to copy the file to the bin directory if you do not you will need to specify the full path of the file as a value for “-DPMcredential” parameter.

Phase 2: Installing the certificate on the client

On the client we will assume that the DPM agent is already installed.

This method will be the same as it was for the DPM server and we will select the same certificate parameters as listed above. For clarity I will go over them again for the client side.

1. On the client via web enrollment “request a certificate”


2. Submit an advanced certificate request:


3. Select to “Create and submit a request to this CA


4.During the request we specify the following


5. We then choose to install the certificate. Once done, we need to open up an MMC and add the certificate snap-in for both current user and local computer. Remember that by default the certificate will be installed into the current user store.


We will need to export the certificate and import it into the Local Computer personal store. You can use the steps above to export the certificate as we did for the DPM server. Make sure to choose “Yes export the private key”. Once it’s exported, please import that certificate into the Local Computer store.


Phase 3: Running the setdpmserver command on the protected computer

We will now configure the protected server to recognize the DPM server as being authorized to perform backups. The DPM agent will need to be installed on the protected server before we run the setdpmserver command. If the agent is not already installed, this can be done via the DPM installation media. From the DPM media, launch setup.exe. From the DPM launch screen, choose Install DPM Protection Agent. This will install the files needed to run SetDPMServer.

Now that we have a certificate on the client server to be protected, we will need the thumbprint from the certificate properties.

1. Open up the certificate in the computer personal store that was imported and go to the details tab.


Here we will need the thumbprint of the protected server certificate. Copy the thumbprint and paste it into Notepad. Once done, remove the spaces as in the example below:


We will have to use this output as a parameter for the setdpmserver command.

2. Open a command prompt and navigate to the C:\Program Files\Microsoft Data Protection Manger\DPM\bin directory. Here we will use the following syntax:

setdpmserver –dpmCredential –OutputFilePath c:\Temp -Thumbprint <ClientThumbprintWithNoSpaces>

Successful results will be displayed as below:


”” is the name of the bin file copied from the DPM server to the client server. Just like on the DPM server, you will have to create or use an already existing directory for the client to save it’s bin file. This bin file, once created, will be placed on the DPM server.

NOTE During the System Center 2012 Data Protection Manager beta, if you did not have the firewall turned on during this command then you would get the following error:


This is no longer an issue in the RTM release of System Center 2012 Data Protection Manager.

3. Go to the C:\Temp directory to retrieve the .bin file created and copy it to the DPM server. Again, you can copy this file to any location on the DPM server but you will need to specify the full path for the ‘PSCredentials” parameter. By default, “Attach-ProductionServerwithCertificate.ps1” checks for the file in the Windows\System32 directory. If you copy the file to this directory then you can specify the filename instead of the full path.

Phase 4: Attach the Client from the DPM server

This is done not via the DPM agent management tab but rather by PowerShell. With the .bin file created by the client copied from the client to the DPM server, we will now open PowerShell and perform the attach. Once the .bin file from the client is saved to DPM, open up PowerShell and type the following command, then hit Enter:


You will see the following prompting you for values:

Supply values for the following parameters:
DPMservername: DPM01
PSCredentials: CertificateConfiguration_MemberServer.bin

NOTE The PSCredentials is asking for the name of the bin file created by the client. Specify the full path unless you copied the bin file to Windows\system32 directory.

IMPORTANT Upon running the Attach-ProductionServerWithCertificate.ps1 command, it is important that you specify the protected server created *.bin file. If you specify the DPM server *.bin file then you will remove all of the protected servers configured for certificate based authentication.

The attach should be completed with no issues and the protected server should show up in the DPM GUI.


NOTE If you do not place the file in the \system32 directory and you do not specify the full path then you will see the warning below.


Appendix A: Creating the DPM certificate template

To create a DPM template for web enrollment, we can copy an existing template from within the “Certificate Templates” snap-in on the Certificate Authority. We will need to pick one that is listed as client authentication and server authentication for intended purposes.


In this example above, the “RAS and IAS Server” template is selected. It is highlighted and we select “Duplicate Template”. We will be prompted for a selection as below:


Leave the default at Windows Server 2003 Enterprise and click OK. Change the Template display name to something distinguishable. In this example we have chosen “DPM Authentication” as the template display name.


There also needs to be a check in the check box for “Publish certificate in Active Directory”. In the Request Handling tab, the Allow private key to be exported should be selected.


Now that we’ve created a new template for DPM authentication, we now need to make the certificate template available for use. Open the Certificate Authority snap-in.


Right-click on “Certificate Templates” and select “New” then choose “Certificate Template to Issue”.


Once this is done you will be provided with a selection of certificate templates to chose from. Select the template we created and click OK.


Appendix B: Configuring the DPM Template for Enrollment or AutoEnrollment

During the creation of the DPM certificate template, you can optionally configure it for Enrollment or Autoenrollment.

a. Selecting Enroll will allow it for selection via MMC.
b. Selecting Autoenroll will allow the certificate to be automatically assigned to computers in the domain.

For Enrollment, if the request will be done directly through the MMC (much easier method), then use Build from this Active Directory information radio button. Change the drop down to use Common name, and the check the box for DNS name. Click OK to accept that.


Only if using the MMC method to request the certificate, go to the Security tab and select Enroll for Authenticated Users. Once done, close out the certificate properties.

Optionally, if Autoenroll is selected, this certificate will be automatically assigned to computers in the domain.


Now that the choice has been made to Enroll the certificates, we should now be able to request the certificate via the MMC. On a server to be protected, in the Certificates (Local Computer) snap-in, expand the Personal store and right click “certificates”. Select “All tasks” then “Request New Certificate”


You should see the certificate enrollment wizard initialized.


Select “Next” and you should see the choice to select “Active Directory Enrollment Policy”.


Select “Next”. You should now see our template that we created as a selection.


You can expand the “Details” and see the properties.


When the properties page opens, select the “General” tab and give it a friendly name. In this example we give it the name of “DPM AuthTest”


Once you select Apply, select Next and you should see a confirmation that the certificate is installed successfully.


Go back to the Certificate Computer personal store and double click on the certificate. Select the “Certificate Path” tab. You can see the friendly name of “DPM AuthTest”


You have now requested a certificate for DPM use via MMC instead of web enrollment.

Shane Brasher | Senior Support Escalation Engineer

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog:
ConfigMgr Support Team blog:
DPM Team blog:
MED-V Team blog:
Orchestrator Support Team blog:
Operations Manager Team blog:
SCVMM Team blog:
Server App-V Team blog:
Service Manager Team blog:
System Center Essentials Team blog:
WSUS Support Team blog:

The Forefront Server Protection blog:
The Forefront Endpoint Security blog :
The Forefront Identity Manager blog :
The Forefront TMG blog:
The Forefront UAG blog:

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Thanks i like your blog very much , i come back most days to find new posts like this!Good effort.I learnt it.


    Albert Reo

    For more information visit our website <a href=">.

  • Microsoft Safety Scanner

    Kostenloser Sicherheitsscan für Ihren Computer

    Български (България)Čeština (Česká republika)Dansk (Danmark)Deutsch (Österreich)Deutsch (Schweiz)Deutsch (Deutschland)Ελληνικά (Ελλάδα)English (Australia)English (Canada)English (United Kingdom)English (Hong Kong SAR)English (Indonesia)English (Ireland)English (India)English (Malaysia)English (New Zealand)English (Philippines)English (Singapore)English (United States)English (South Africa)Español (Argentina)Español (Chile)Español (España)Español (México)Español (Latinoamérica)Eesti (Eesti)Suomi (Suomi)Français (Belgique)Français (Canada)Français (Suisse)Français (France)Hrvatski (Hrvatska)Magyar (Magyarország)Italiano (Italia)日本語 (日本)한국어 (대한민국)Lietuvių (Lietuva)Latviešu (Latvija)Norsk (Norge)Nederlands (België)Nederlands (Nederland)Polski (Polska)Português (Brasil)Português (Portugal)Română (România)Pусский (Россия)Slovenčina (Slovensko)Slovenski (Slovenija)Svenska (Sverige)ไทย (ประเทศไทย)Türkçe (Türkiye)українська (Україна)简体中文繁體中文 (香港特別行政區)繁體中文 (台灣)

    Auf einem anderen Computer ausführen? Wählen Sie Ihre Version aus.

    Microsoft Safety Scanner

    Sind Sie der Meinung, dass Ihr Computer durch einen Virus infiziert ist?

    Microsoft Safety Scanner ist ein kostenloses Sicherheitstool, das nach Bedarf Computerscans ausführt und Viren, Spyware und sonstige Schadsoftware entfernt. Es ist mit Ihrer bestehenden Antivirensoftware kompatibel.

    Hinweis: Microsoft Safety Scanner läuft 10 Tage nach dem Download ab. Um erneut einen Scan mit den aktuellen Antischadsoftware-Definitionen auszuführen, laden Sie Microsoft Safety Scanner herunter, und führen Sie es erneut aus.

    Microsoft Safety Scanner stellt keinen Ersatz für ein Antivirenprogramm dar, das ständigen Schutz bietet.

    Wenn Sie Echtzeitschutz wünschen, der Ihren privat oder geschäftlich genutzten Computer vor Viren, Spyware und anderer Schadsoftware schützt, laden Sie Microsoft Security Essentials herunter..


    Mehr Sicherheit für Ihren Computer und beim Webbrowsen

    Kunden, die eine Originalversion von Windows verwenden, erhalten ein zusätzliches Abonnement für Microsoft Security Essentials, die preisgekrönte Antivirensoftware für den Schutz von Computern.

    Laden Sie die aktuelle Version des sichereren Microsoft-Browsers mit SmartScreen-Filter herunter, die verhindert, dass Sie im Internet auf Phishing-Websites gelangen oder sonstigen Onlinebetrügern zum Opfer fallen.

    Mit Windows Live Family Safety können Sie durch selbst erstellte Regeln die Sicherheit Ihrer Kinder im Internet verbessern. Mit weiteren Tools können Sie überwachen, welche Websites Ihre Kinder besuchen.

    Hilfe und Ressourcen

    •Microsoft Safety ScannerProblembehandlung

    •Microsoft Viren- und Sicherheitslösungscenter (Seite möglicherweise in englischer Sprache)

    •Microsoft Consumer Security Support Center (Seite möglicherweise in englischer Sprache)

    •Microsoft-Sicherheitscenter (Seite möglicherweise in englischer Sprache)

    •Microsoft Center zum Schutz vor Malware (Seite möglicherweise in englischer Sprache)

    •Microsoft Security Intelligence Report (Seite möglicherweise in englischer Sprache)

    •Microsoft Safety ScannerSystemanforderungen

    •Microsoft Safety ScannerDatenschutzbestimmungen

    •Microsoft Safety ScannerLizenzvereinbarung

    Größte Bedrohungen für den Desktop











    Weitere Informationen

    Profil verwalten| Kontakt| Nutzungsbedingungen| Marken| Datenschutzbestimmungen

    © 2011 Microsoft

    Man, I really want to debug my account... gibt's irgendwelche hil? Heeeeeeelllllpppp! (00353)214365877

  • Hello,

    I follow your blog post. I create the same certificate template.

    But when I execute the command on the client server, I have the error with the ID 33234.

    I have DPM 2012 SP1 UR3.

    Thank you for your help.


  • Hello J.C.,

    I have a question about the use of certificates to authenticate computers in an untrusted domain with DPM2012 R2 (4.2.1292).

    We have a primary forest (domain level 2008r2) where we have a DPM2012 R2(4.2.1292) server running on Windows 2012R2. We also have a second forest (domain level 2012) running in a separate network. These networks are not connected, they share no DNS, and there are no trust relations. Currently we use client protection with NTLM authentication to back-up data in the second forest to our DPM2012 server in our primary forest. We want to replace the NTLM authentication with certificate authentication. To achieve this we used the following guide:
    The network traffic between the DPM server, the CA and the servers in de second forest is allowed and the FQDN’s are placed in the host files. The CA (enterprise) server is installed on a 2008R2 DC with default settings, web enrollment is used. If we follow the guide within the primary forest and use a Windows 2008 server DPM target then everything works directly and smoothly. If we try to run the procedure on a Windows 2012 R2 server in the second forest then we get an error when we run (phase 4) Attach-ProductionServerWithCertificate.ps1 on the DPM2012 server with the error:
    There is failure while attaching production server with certificates C:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\bin\Attach-ProductionServerWithCertificate.ps1 : DPM CPWrapper Service on the servername.LOCAL computer has encountered a failure and may be in an unusable state. Exception Message = The socket connection was aborted

    Is there any advice you can offer, and can someone confirm this is a supported scenario.

  • what needs to be done on. seconday dpm for workgroup protection?