Cannot backup TDE Certificate
-
I'm trying to backup the TDE Certificate but the OS reboots when executing the query:
BACKUP CERTIFICATE MyCertForTDE TO FILE = 'TestDB1_Cert.cer'
WITH PRIVATE KEY ( FILE = 'TestDB1Key.key',
ENCRYPTION BY PASSWORD ' TH!$IsN0TMyP@$$word'And I get the attached error saying an unexpected error occurred during password validation.
This password in the above query is just an example. My real password met all the requirements, Upper and lower case letters, numbers, special characters, and I tried passwords in length of 20 to 24 characters. Each time I keep getting the same error and the OS reboots. I'm doing this on Windows Server 2008 R2 with SQL Sever 2012 R2 SP4 Enterprise version.Thanks.
- WC_Admin - Tuesday, October 23, 2018 6:40 AMI'm trying to backup the TDE Certificate but the OS reboots when executing the query:
BACKUP CERTIFICATE MyCertForTDE TO FILE = 'TestDB1_Cert.cer'
WITH PRIVATE KEY ( FILE = 'TestDB1Key.key',
ENCRYPTION BY PASSWORD ' TH!$IsN0TMyP@$$word'And I get the attached error saying an unexpected error occurred during password validation.
This password in the above query is just an example. My real password met all the requirements, Upper and lower case letters, numbers, special characters, and I tried passwords in length of 20 to 24 characters. Each time I keep getting the same error and the OS reboots. I'm doing this on Windows Server 2008 R2 with SQL Sever 2012 R2 SP4 Enterprise version.Thanks.
You need to check the windows event logs on the server.
Sue
- Sue_H - Tuesday, October 23, 2018 7:19 AM
That's the thing. I checked the Event logs after windows rebooted, and nothing in the logs even mentions that error, nor why the OS rebooted. I checked the SQL error logs. No mention of a reboot, or the error I got. I checked "ErrorLog" in \MSSQL\LOG\, and no mention of rebooting or the SQL errors.
- Sue_H - Tuesday, October 23, 2018 7:19 AM
Seconding this, as I would get a similar (possibly the exact same) error at one time as our servers had a 3rd party password filter driver loaded, that would cause the LSASS service to crash when I attempted to backup anything in SQL with a password. It should show up in the event logs, I believe check the Application log for starts.
-
Would this server happen to be in a government environment? I have had the same experience due to a bug in the EnPasFltV2x64.dll/EnPasFltV2.dll password policy libraries. Thing is if this is the case and it is because of STIG requirements I do not believe newer STIGs require this dll to be present.
If this dll is present you can test if this is the cause by renaming the dll, restarting the server and trying your operation again.
Joie Andrew
"Since 1982" - Joie Andrew - Tuesday, October 23, 2018 9:45 AM
I have a test server that mimics our production server, so I'll see if renaming the dll file on there resolves the issue. If it does, thanks ahead of time.
- Joie Andrew - Tuesday, October 23, 2018 9:45 AM
One other question, do I also need to remove the entry in the registry? (HKLM\System\CurrentControlSet\Control\LSA\ EnPasFltV2x64.dll) ?
Thanks
- WC_Admin - Tuesday, October 23, 2018 11:44 AM
You should remove it from the registry as well, if nothing else to prevent errors on startup when Windows tries to load the driver and can't find it.
If you are required to follow the STIGS, make sure you get the most recent OS STIG and point out to whoever is in charge of the OS that this is no longer required. It's quite possible this is being pushed out to your servers by a GPO setting, in which case it will come back when you restart.
- WC_Admin - Tuesday, October 23, 2018 11:44 AM
Actually, nevermind. Renaming the DLL worked!
"Command completed successfully"Thank you!
-
Glad to see your problem is fixed.
I hate that dll.
FYI if it is on other servers you might get similar symptoms with other actions, like setting/resetting a SQL login password.
Joie Andrew
"Since 1982" - Joie Andrew - Tuesday, October 23, 2018 12:22 PM
Actually I was just going to ask you that. I've gotten the same error when setting or resetting the SQL Authentication login. Do you know the fix for that? I know this should have been a different thread but I'd really love to know. Thanks!
-
Short of removing the dll from servers I think your options might be limited. You could try e-mailing DISA STIG support. If you have to have the dll in place they may be able to provide an updated version that fixes the issue.
Joie Andrew
"Since 1982" - Joie Andrew - Tuesday, October 23, 2018 1:18 PM
If I recall from the STIG changes list when they removed it, it was because the filter went out of support and there was no replacement for it. Seeing as software on Gov systems needs to be in support (well, you can weasel around that, but it's not fun) they removed the requirement.
So there's no updates for it.
Viewing 13 posts - 1 through 12 (of 12 total)
You must be logged in to reply to this topic. Login to reply