Exchange Granular Recovery restore fails with e0000388 - Cannot log on to EWS with the specified credentials
Problem
When trying to restore a Exchange mailbox or mailbox item backed up with Granular Recovery Technology (GRT), the restore fails when TLS 1.0 is disabled.
This issue applies to Backup Exec and NetBackup.
Error Message
e0000388 - Cannot log on to EWS with the specified credentials
Cause
.Net updates and configuration changes are required to be able to do a GRT restore with TLS 1.0 disabled
Solution
Follow these instructions to enable Exchange GRT restore to function in Backup Exec or NetBackup when TLS 1.0 is disabled.
On the Exchange server(s)
For Exchange Servers 2013 and above:
.Net needs to be updated to at least version 4.7.1.
For Exchange 2010 :
Update .Net to latest version of .Net 4.5.x (.Net 4.7.x is not supported for Exchange 2010)
Microsoft Information on how to Identify if TLS 1.0 has been disabled
Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1
Warning: Incorrect use of the Windows registry editor may prevent the operating system from functioning properly. Great care should be taken when making changes to a Windows registry. Registry modifications should only be carried-out by persons experienced in the use of the registry editor application. It is recommended that a complete backup of the registry and workstation be made prior to making any registry changes
The following DWORD registry keys need to be edited and or created.
The SystemDefaultTlsVersions key needs to be set to "1" in registry
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SystemDefaultTlsVersions
The SchUseStrongCrypto key needs to be set to "1" in the registry
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SchUseStrongCrypto
Example:
The SystemDefaultTlsVersions key needs to be created DWORD and set to "1" in registry
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions
The SchUseStrongCrypto key needs to be created and set to "1" in the registry
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
PowerShell Method to set and create the registry keys:
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
In some occasions the above keys are also required in this path below (only to be done when the above steps did not fix the issue):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETframework\<version>
Note: A Reboot Exchange Server(s) is needed after editing or creating the registry values.
Usual precautions apply before making edits in the registry!
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.