Cluster resources that use a cryptographic provider from a
third-party provider do not come online in a mixed-version cluster after you
upgrade to Windows Server 2003 or after the nodes are upgraded.
To resolve this problem, use the Cluster.exe utility to set
the Cryptographic Service Provider private property key length and the
effective key length for the third-party cryptographic provider that encrypts
and decrypts data for the failing resource type. To do so:
- From a command prompt, run the following command, where
cluster name is the name of the cluster,
CSP is the name of the cryptographic provider, and
effective_key_length are the key length and the
effective key lengths for the RC2 algorithm in bits:
cluster nameCSP=key_length,effective_key_length:MULTISTRThis command sets the encryption levels (key lengths) for a
cryptographic key that is used to export (encrypt) and import (decrypt)
resource data (cluster and cluster application cryptographic checkpoints). The
imported and exported resource data is saved to the quorum. For more
information about how to use Cluster.exe, see the cluster Help
- Depending on the resource, either bring the resource
online or re-create the resource to add the new cryptographic checkpoint.
The cryptographic key is generated by a cryptographic provider
that uses the RC2 block encryption method. Review the documentation for your
cryptographic provider to obtain valid values for the following RC2 encryption
Also review the cryptographic provider documentation for
information about how to add the cryptographic checkpoint.
has confirmed that this is a problem in the Microsoft products that are listed
at the beginning of this article.
To view the private properties for a cluster, use the /priv
parameter without any options. For example, to see the private
properties for the OpsClust cluster, type the following command at a command
cluster opsclust /priv
You can use the private property if you have a third-party
resource or a program that uses a third-party cryptographic provider that is
not supplied by Microsoft. Note
For information about troubleshooting this problem, see the "A
Third-Party Resource Fails to Come Online in a Mixed-Version Cluster or While
Upgrading a Cluster" section in the "Group and Resource Failure Problems" topic
in the Help file.
If you have security concerns about the
cryptographic checkpoint data that is written to the quorum when you import
resource data to a cluster node before you bring the resource online, you can
use this private property to change the encryption levels for any of the
cryptographic providers (that are supplied by third-party developers or by
Microsoft) that are used by the Cluster service.