Error message “The file is either corrupted or does not have the latest credentials associated with recovery service. (ID: 34513) “

Consider the following scenario

• You’re using Microsoft Azure Recovery Services to backup a Windows Server
• The new vault credentials file is less than two days old or is allowed to “reregister”
• There are no known status issues with Azure
• When attempting to install the Azure Backup agent, with the correct credentials you receive an error message “Invalid vault credentials provided. The file is either corrupted or does not have the latest credentials associated with recovery service. (ID: 34513) We recommend you download a new vault credentials file from the portal and use it within 2 days.”

My scenario included trying to backup a server with a RAID controller on it’s last legs. The host server had crashed and only just been restored. Attempts to use the Azure Backup Agent failed when attempting to contact the vault (with certificate authentication). I uninstalled the agent and reinstalled and continued to get the following error message:

Invalid vault credentials provided. The file is either corrupted or does not have the latest credentials associated with recovery service. (ID: 34513) We recommend you download a new vault credentials file from the portal and use it within 2 days.

Solution

The problem was that the time on the Windows server was incorrect. The VM host had crashed, stumbled back online and the time within the VM was many hours out.

To force a sync with the existing time servers I used the following in an administrative command prompt:

w32tm /resync

If the above doesn’t work, continue to try it several times to cycle through a list of servers. If the problem is with a virtual machine where the host provides time synchronisation, it is important you resolve the issue on the host and not the individual virtual machine.

If the VM is a domain controller on a virtual machine, the DC should be ignoring the time of the host and getting it from an external, reliable and authoritative source. I prefer to use pool.ntp.org project servers when given the option due their relationship with the Network Time Protocol (NTP) project.

In this case the following would be my preferred option:

w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org”

Note NTP servers are found in many zones based on continents. If time accuracy is important (e.g. you’re running your country’s nuclear program) then you may like to consider a zone closer to you for greater accuracy.