Windows MPIO Information–Encrypted, Really?

We are in the process of trying to get all of our Windows 2008 and higher servers of EMC PowerPath and onto the native Windows MPIO driver. While PowerPath has some benefits, it’s also very expensive, and we’ve run into some versioning issues that have caused a couple of outages. Since Microsoft started including a driver (that generally works really well) in Windows 2008, we are using that as a standard.

There were some questions from one of my engineers about the paths looking different from PowerPath to the native driver so I went first to the MPIO configuration tool (Control Panel > Admin Tools > MPIO). It doesn’t provide a great deal of detail, but there is the option to capture a snapshot of the current MPIO configuration. Well, I tried to run this and got “System Error 5 has occurred. Access is Denied”

Given that I was a local admin on the server, I was really curious as to why this was failing. So I went to the command line, where I could use the MPCLAIM tool. The –V flag gathers the config information and exports it to a file. Same error—Access is Denied, Error 5. So I went to the googles—and I found this from a Microsoft employee in a forum post.

Microsoft for whatever reason decided to encrypt the temp file for that is generated. It turned out in my case we had an issue with an expired Data Recovery Agent certificate that was preventing AD from encrypting that file. If you are trying to gather MPIO config information, you need to have the ability to encrypt. So if you run into this, you probably need to contact your friendly domain admin.

Does anyone have any ideas on why Microsoft would want to encrypt this file? The only logical thing I could conclude is that is could have configuration information, but that info tends to be accessible from other methods (HBA clients, WMI, etc)

 

%d bloggers like this: