This article describes a mandatory update to fix an issue with Azure Backup for Microsoft Azure Recovery Services (MARS) Agent version that is used by Microsoft Azure Backup, Microsoft Azure Backup Server (MABS), System Center Data Protection Manager (DPM) and the Microsoft Azure Site Recovery service to transport data to Azure.
You have configured MARS Agent backup using a passphrase with one or more characters which have ASCII values greater than 127. When you attempt a restore of system state and/or files and folders to an alternate server, restore fails with the following error even though the previously registered passphrase was provided.
The encryption passphrase provided is incorrect. Please provide the same passphrase that you used previously to register this server to the vault.
In addition, this may also affect re-registration of the MARS Agent to the same vault after a server rebuild. The server registration may fail with the error below despite being provided the previously registered passphrase.
Failed to set the encryption key for secure backups.
In such cases, the only way to successfully restore existing backups is to use the cached key on the original server.
If the original server is online and available, regenerate the passphrase on the original server using allowed passphrase characters. You can then use the new passphrase for restore.
MARS Agent uses a one-way encryption on the passphrase to derive a key that is then used to encrypt the backup data. Some special characters in the passphrase used may hit a problem in this initialone-way encryption causing an incorrect passphrase to be set.
During restore to an alternate server, the attempt to derive the key again using the same passphrase would fail causing restore to fail because the passphrase generates a key that does not match the original one that was set.
The fix for this issue is included in the MARS Agent version 2.0.9190.0.
After downloading and installing this version, you must validate your passphrase to ensure that it meets the updated requirements for the passphrase.
Steps for MARS Agent:
On opening the MARS console, you will see a message at the top informing you that the passphrase needs to be validated. Please click on the Validate link.
The passphrase validator will open and prompt you for the current passphrase. If it does not meet the passphrase requirements, you will immediately be provided the option to regenerate the passphrase. To regenerate the passphrase you will need to provide:
A new passphrase that meets requirements
A Security Pin (see below for instructions to generate it)
A secure location to save the newly generated passphrase
Steps for DPM and MABS:
Execute the passphrase validation tool from an elevated command prompt. The tool can be found at one of the following locations:
System Center Data Protection Manager:
%ProgramFiles%\Microsoft Azure Recovery Services Agent\bin\PassphraseValidator.exe
Microsoft Azure Backup Server:
%ProgramFiles%\Microsoft Azure Backup Server\DPM\MARS\Microsoft Azure Recovery Services Agent\bin\PassphraseValidator.exe
The passphrase validator will open and prompt you for the current passphrase. If it does not meet the passphrase requirements, you will need to regenerate the passphrase.
To regenerate the passphrase for DPM and MABS, from the management console navigate to Management tab > select Online > Configure option. Follow the Configure Subscription Settings Wizard and at the Encryption Setting step provide the updated passphrase.
Steps to obtain the Security PIN:
To regenerate the passphrase a Security PIN is required and this can be retrieved from the Azure Portal. Navigate to the Vault Properties, and under Security PIN, click on Generate.
To apply this update, download from the Microsoft Download Center and install version 2.0.9190.0 of the Microsoft Azure Recovery Services agent.
Note: The version for this update of Microsoft Azure Recovery Services agent is 2.0.9190.0
For more information about how to download Microsoft support files, see the following Microsoft Knowledge Base article:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
Applying the update to multiple servers
If your servers are registered to one or more Recovery Services Vaults, you can update your servers directly from Azure Portal. Perform the following steps to update multiple servers from the Azure portal
Download the installer for the update from the link mentioned above
Navigate to the Recovery Services Vault where your servers are registered
On the left-side Settings blade click on Backup Infrastructure under the Manage section
Click on Protected Servers under Management Servers and select Azure Backup Agent as the Backup Management Type
From the blade that appears, click on a server for which agent version is lower than 2.0.9190.0
On the server’s detail blade, click on Connect. This will download a Remote Desktop Connection file with which you can connect to the server, copy the downloaded agent to the server and update it. After updating the agent, launch the console and perform the one-time validation of your passphrase.
Once you are done updating, you can select other servers which have agent versions lower than 2.0.9190.0 and update agents on them similarly.
If you are using Windows Server 2008 (SP2 and R2 SP1, any SKU), you need to restart your machine after applying this update. Users that have installed MARS Agent on other Windows Server versions, don’t need to restart the computer after applying this update.
If you use System Center 2019 Data Protection Manager (SC DPM), it is recommended that you apply Update Rollup 1 for System Center 2019 Data Protection Manager or a later version.
If you use System Center 2016 Data Protection Manager (SC DPM), it is recommended that you apply Update Rollup 9 for System Center 2016 Data Protection Manager or a later version.
If you use System Center 2012 R2 Data Protection Manager (SC DPM), apply Update Rollup 12 for System Center 2012 R2 Data Protection Manager or a later version.