BE 12 - Software Encryption Enabled/Tested - Renam...

Softech · ‎09-17-2009

Windows SBS 2003
Backup Exec 12.
Enabled Software Encryption key - Restricted Type.
Tested Backup & Restore - Successful.
Applied to live job.

Later same day changed Domain Admin account login name & password - this is the account that was used to install & operate Backup Exec.
Updated the username/Password on BE Services and within BE Logon Accounts.

However, when I try to apply the Key to the job now or make any changes (&therefore "Save" the job) I get the error:
"The restricted encryption key cannot be used because the owner cannot be validated"
Set as a Common Key it works fine.

I have deleted & re-created the key, now that I'm logged in with the new Username and Password - no change.

Encryption Keys settings still shows the Owner of the Key as "Domain\administrator" - even though this is no longer a valid account, and I was logged in as the new username when opening BE and creating the key.

Ideas??

Colin_Weaver · ‎09-17-2009

I suspect the problem is that the restricted key in the job is secured from being changed without the correct credentials and in this case you have changed the account that was used to create the restricted key. As such you will almost certainly have to recreate your job configuration as well as creating a new key in order to sort the problem out.

Basically anything restricted in the Backup Exec configuration is tied to an account and change in the name or security GUID of the account can cause issues like this - after all the idea is to make things secure so anything suspicious in terms of changes will cause problems.

Note just changing the password of an account is not likely to cause this sort of problem (assuming you change the passwords in all the required locations) - it is likely to be because you renamed the account that this has happened. Also if you had made a new account but kept the original one in existence you would probably have been OK but limited as to what you can do logged in as the wrong user.

Softech · ‎09-17-2009

I have already Re-Created the Key.
I then removed the old one from the job, Saved the job, re-opened the job and attempted to add the new key.

I also added the renamed account explicitly as a Logon Account in BE, then set it as the Default Logon Account, then shutdown BE, logged off the server. Logged back on, opened BE and attempted the process of Creating and Assigning the key. No success.

Is there somewhere else that needs to be updated?

Colin_Weaver · ‎09-17-2009

Create a new job - and use the new key with the job - but use your old selection list if you want - it is the job containing a link to the restircted key that has an invalid set of credentials that is causing the problem. To change restrircted keys in a job (I suspect) the credentuials need to be valid for both the key you are removing and the key you are adding - your credentials are now ONLY valid for the key you are adding.

Softech · ‎09-17-2009

I've just tried and gotten the same result.
Created a new job, used original selection list and created another new encryption key, set as Restricted - and it failed agian with the same message.

Colin_Weaver · ‎09-17-2009

In your Accounts List (in the BE CONSOLE) - do you have a valid System Logon Account configured?

Other than this can't think of any other advice to offer.

Softech · ‎09-23-2009

Yes. This was configured as the original Domain Admin account. I have updated it to the new Domain Admin account name.

A possible cause is that AD seems to still report the display name of the account as "Administrator" despite the fact that I've changed this and the logon name. In Backup Exec the "Account Owner" shows as "domain\administrator" - I wonder if this somewhere causing BE to look for the account with a logon of administrator still??

VOX

BE 12 - Software Encryption Enabled/Tested - Renamed Domain Admin A/c - Error "The restricted encryption key cannot be used because the owner cannot be validated"