Hi, further to this, I've created an empty scsadmin.dat file in the directory, now I'm getting a different error:
DEBUG: RCS-Backup: backup with "D:\SOURCE\vPro\vpropowershell\Backup\prof.bak", "D:\SOURCE\vPro\vpropowershell\Backup\psk.bak" [ ]
DEBUG: RCSServer's status is Running
DEBUG: RCSServer's status is Running
DEBUG: Stopping RCSServer .
DEBUG: Waiting for RCSServer to be Stopped
DEBUG: RCSServer's status is Stopped
DEBUG: RCSServer's start mode is Auto
DEBUG: RCSServer Disabled
DEBUG: DpDecrypt-File: C:\Documents and Settings\All Users\Application Data\Intel_Corporation\RCSConfServer\Profile.xml start
ConvertTo-SecureString : Key not valid for use in specified state.
At D:\SOURCE\vPro\vpro powershell\RCS-Backup.ps1:361 char:32
+ $sstr = ConvertTo-SecureString <<<< ([BitConverter]::ToString($ba) -replace ('-',''))
+ CategoryInfo : InvalidArgument: (:) [ConvertTo-SecureString], CryptographicException
+ FullyQualifiedErrorId :ImportSecureString_InvalidArgument_CryptographicError,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand
DEBUG: DpDecrypt-Bytes: could not be decrypted.Exception:Value cannot be null.
Parameter name: s
DEBUG: Exception caught:21
DEBUG: RCSServer's start mode is Disabled
DEBUG: RCSServer Auto
DEBUG: Restarting RCSServer
I also get the above error when #blocked out any references to scsadmin.dat file.
Thanks for the post. I will look into this and see what is happening.
Hi Josh, I found some part of the solution to the problem.
If you register the RCS Service under a local or domain user account during installation and run the backup script under this account the backup is successfull. However if you register the RCS Service under the Network Service system account (most secure) you cannot do a backup.
I've trawled through the Intel Setup and configuration Service - User Guide a few times and I found the following:
On page 27 the guide tells you that you can run the RCS using a built-in Security account, extract below:
• You can also run the RCS using a built-in security account. To do this, enter “Network Service” in the Username field or click Browse to select it. If you want to use this account, see “Using the Network Service Account” on page 30.
• The user you select to run the RCS must have a password (unless it is the Network Service user account).
On page 30 it informs you that using this account is the most secure option, extract below:
The Windows operating system includes a built-in security account named “Network Security”. During installation of the RCS you can select this account to run the RCS. When the RCS runs under this account, the RCS communicates on the network using the credentials of the computer running the RCS. This can increase security because it is not easy to impersonate a computer.
To do a succesfull backup using the Network Service account it states on page 31 you need to create a task in Task Scheduler that runs under the Network Service account, extract below:
Backup User Verification
Make sure that you run the backup using the Network Service account. To do this, you can create a task in Task Scheduler that runs under the Network Service account. If you use the RCS-Backup.ps1 Powershell cmdlet, make sure that you use the -SkipUserVerification parameter.
However, to be able to schedule a task with task scheduler to run under the "NT AUTHORITY\NETWORKSERVICE" account you require Task Scheduler 2.0. see URL: http://msdn.microsoft.com/en-us/library/windows/desktop/bb736357(v=vs.85).aspx - extract
- /RU username
A value that specifies the user context under which the task runs. For the system account, valid values are "", "NT AUTHORITY\SYSTEM", or "SYSTEM". For Task Scheduler 2.0 tasks, "NT AUTHORITY\LOCALSERVICE", and "NT AUTHORITY\NETWORKSERVICE" are also valid values.
Task Scheduler 2.0 is only available on Windows 2008 and Windows Vista, see URL: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383614(v=vs.85).aspx - extract
The Task Scheduler requires the following operating systems.
- Task Scheduler 1.0: Client requires Windows Vista, Windows XP, Windows 2000 Professional, Windows Me, or Windows 98. Server requires Windows Server 2008, Windows Server 2003 or Windows 2000 Server.
- Task Scheduler 2.0: Client requires Windows Vista. Server requires Windows Server 2008.
In my environment I've installed RCS on a Windows 2003 server, therefore I'm not able to run the backup under the NT Authority\NetworkService account due to the version of Task Scheduler.
Thank you for the follow-up, I will be sure to feed this back to the development team and let them know you found the cause.
After your post, I received some additional information from the development team:
- If you don’t have an admin password file DON’T add dummy.(it will fail…) delete the dummy file and try to run
- “.\RCS-Backup.ps1 -Operation Backup -Password "********" -Profiles "D:\SOURCE\vPro\vpro powershell\Backup\profiles.bak" -PSK "D:\SOURCE\vPro\vpro powershell\Backup\PSK.bak" -DMP "D:\SOURCE\vPro\vpro powershell\Backup\dmp.bak"
- Please make sure that the user that run this script is the same as the RCS service user and on the same machine as the RCS.(we use Kerberos DPAPI decryption)
- “Key not valid for use in specified state.” Is a Microsoft error returned from the decryption function. Please verify that your client is sync with you AD(no trust issues)
- This post : ” http://www.sitefinity.com/devnet/forums/sitefinity-4-x/general-discussions/key-not-valid-for-use-in-specified-state.aspx ” have some suggestions that helped them.(don’t forget to backup before deleting anything)
Thanks again for your follow-up