This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC 5.2 will not install - interactive logon error...aaaarrrgggghhh!!

I am running 2 x 2008r2 servers.

The database is 2012 on one of the servers.

SEC 5.2 on the other.

Both are part of a larger Domain.

I have setup the service accounts as per article KB113954. "SophosManagement" and "SophosUpdateMgr"

I first installed the database on one of the servers successfully. Yeah!

But...when installing SEC 5.2 on the other server, I get the following error when I enter the credentials for the database.

"The specified account does not have interactive logon rights on this machine."

When I change the service account to have local administrator rights, it will install successfully.

The documentation and best practice says not to give service accounts administrator rights. Users rights is ok...apparently.

These accounts are set as "logon as a service", and these type of accounts are not suupposed to have interactive logon rights.

So what gives?

Any ideas??

:43018


This thread was automatically locked due to age.
Parents
  • Answering on the assumption that the server you're installing the Management Server is a DC

    So I faced the exact same problem today and I was able to think it through. This might help someone who land here Googling their way -

    1. SophosManagement should be a Domain User with non-administrative rights according to best practices. 

    2. If you're installing the Management Server on a DC, SophosManagement will be a normal Domain User and hence, it would not have interactive log-on rights, so the error message is normal! Only Members of Domain Admin can log-on to the Domain Controller. 

    3. When you make SophosManagement a part of Domain Admins, the installation should go through. 

    Lastly, it's never advisable to install SEC on a Domain Admin. 

  • I'm not sure why one would assume they are installing the Management Server on a DC.  Who does that?  The OP is correct, the installer wants a domain user account that then is given "logs in as a service" right and that goes against standard security protocols.  The installer should not be forcing the service account to be "elevated to user level" just to install the software and then only runs as a service account after the install.  The installer should just install, not babysit the smasher of the button. 

  • Hi,

    SEC 5.2 is an old expired version of Enterprise console. Is there any specific reason to install such an old version? I would like to mention that it is out of support now.

    SAJ
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • The issue exists with SEC 5.5 as well.  This has never been addressed.

Reply Children
  • Hello Robyn Smith (et al.),

    I'm not sure about the exact nature of the issue.
    The OP mentioned a remote database, if I understand Vikas correctly he could reproduce it (with or without a remote database?) on a DC. I'm using a local database, installed SEC 5.5.1 both on a workgroup and a domain member server. Accounts local, none of the accounts has or had user rights or was elevated to user level.
    In the past (years ago) I have used domain accounts. I might or might not have encountered this issue. Bootstrap logs go back to 5.1. - but there's no indication that the installer checked the interactive logon rights. So ...

    Christian

  • Hi Roby,

     

    The below document will help you to understand the Database account Logon permissions, Please see the "What Permissions does it require" session and confirm everything is in place.

    Database account

    Where is it used?

    The database account is used by the Sophos Management Service (the process name is mgntsvc.exe) to connect to the database. During installation, the account is written to the key shown below for the Sophos Management Service to use when connecting to the database.

    • 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\EE\Management Tools\DatabaseUser\
    • 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\Management Tools\DatabaseUser\

    Note: 

    • The password for the account is obfuscated in the registry.  If you need to change the account or password, it is recommended to re-run the installer (e.g. C:\sec_541\ServerInstaler\setup.exe) to reconfigure the system.
    • For advanced distributed installations, where only the database component is selected, the installer also requests the database account. The database account will be added to the Windows group Sophos DB Admins also created by the installer in order to give this account access to the database. This same database account should be selected when installing the management server component to enable the management server to access the database. If you choose to create local accounts, for example, you are using a workgroup, the account names and passwords must match.

    The following Sophos services (if they exist) are also set to log on as this account:

    • Sophos Management Host (Sophos.FrontEnd.Service.exe)
    • Sophos Patch Endpoint Communicator (PatchEndpointCommunicator.exe)
    • Sophos Patch Endpoint Orchestrator (PatchEndpointOrchestrator.exe)
    • Sophos Patch Server Communicator (PatchServerCommunicator.exe)
    • Sophos Encryption Business Logic Service (BLService.exe) 
    The following Windows scheduled tasks are also configured to run as this user:
    • Sophos Patch Feed
    • Sophos Patch Purge

    Enterprise Console also uses the database user to enable it to communicate with the Sophos Management Host service, which implements the web services on the management server. It is for this reason that when installing a remote console, the database account is requested.

    The account the Sophos Management Host service runs as should be the same user. It is therefore recommended that the account is a domain account when installing in a domain environment.

    What permissions does it require?

    The account must fulfill the following requirements:

    • To log onto the computer where the Sophos Management Service resides.
    • To log on with the Log on as a Service service rights in order to run the services mentioned above.  The installer automatically grants these rights and therefore they do not need to be set up before installing.
    • To read and write to the system temporary directory such as C:\Windows\Temp\. By default members of Users have this right.
    • To execute the scheduled tasks. 
    • To be a member of the Windows security group Sophos DB Admins.  This account will be made part of Sophos DB Admins during the installation.
    • To be a member of the Windows security group Sophos Console Service Users.  This account will be made part of Sophos Console Service Users during the installation.
    • Should have a UPN associated with the account if the account is a domain account.  For further information see article 114036.
    • It is not required to be an administrative account as long as the above conditions are met. 
    • User must change password at next logon is disabled.

    It is strongly suggested that:

    • The account is not set to expire or has any other logon restriction.
    • The account is not administrative.
    • The account is not changed after installation.
    • You test logging on to the management server as this account.
    SAJ
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • Thank you very much for the information.  I need to clarify my earlier statement about "log in as a service".  Our service accounts are able to do that particular but it is "interactive login" that they are not.  It is this requirement where we are having issues:

                  To log onto the computer where the Sophos Management Service resides.

    Our service accounts are not able to do that.  They are allowed to do the other requirements (Log on as a Service right, etc); just not that one.  

    Is there a hidden switch we can use so that the installer doesn't check for "interactive user" to at least get the bits installed?

  • Hello Robyn,

    At this point, I recommend to open a support case and do a remote session with our technical support team to assist you better on a remote session.

    Please create a ticket with technical support and let me know the case number so that we can assist you in a better way.

     

    Please follow the link to create a support ticket.

     

     

    SAJ
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.