This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrade from 5.5.1 to 5.5.2 fails

Hi folks,

today i've tried updating Enterprise Console from 5.5.1 to 5.5.2.

 

At first i've upgraded the databases on our cluster, with no errors.

 

After that i've started the SEC-Setup an it fails when trying to install server64.msi. MSI-Log tells the following error:

Action ended 14:45:09: FormatInteger. Return value 1.
MSI (s) (BC:B4) [14:45:09:101]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2429.tmp, Entrypoint: DeobfuscatePassword
Action start 14:45:09: DeobfuscatePassword.
DeobfuscatePassword:  Initialized.
DeobfuscatePassword:  Deobfuscating: REGISTRYSERVERPASSWORD to SERVER_USERNAMEPASSWORD
DeobfuscatePassword:  Deobfuscation skipped: REGISTRYSUMPASSWORD to SUM_USERNAMEPASSWORD
MSI (s) (BC:00) [14:45:09:148]: Doing action: SetServerUserNamePasswordFromCommandLineValue
Action ended 14:45:09: DeobfuscatePassword. Return value 1.
Action start 14:45:09: SetServerUserNamePasswordFromCommandLineValue.
MSI (s) (BC:00) [14:45:09:148]: Doing action: SetServerUserNameDomainFromCommandLineValue
Action ended 14:45:09: SetServerUserNamePasswordFromCommandLineValue. Return value 1.
Action start 14:45:09: SetServerUserNameDomainFromCommandLineValue.
MSI (s) (BC:00) [14:45:09:148]: Doing action: SetServerUserNameFromCommandLineValue
Action ended 14:45:09: SetServerUserNameDomainFromCommandLineValue. Return value 1.
Action start 14:45:09: SetServerUserNameFromCommandLineValue.
MSI (s) (BC:00) [14:45:09:148]: Skipping action: CredStore.GetDBCredentials (condition is false)
MSI (s) (BC:00) [14:45:09:148]: Skipping action: SetSUMUserNamePasswordFromCommandLineValue (condition is false)
MSI (s) (BC:00) [14:45:09:148]: Skipping action: SetSUMUserNameFromCommandLineValue (condition is false)
MSI (s) (BC:00) [14:45:09:148]: Doing action: CredStore.GetSUMCredentials
Action ended 14:45:09: SetServerUserNameFromCommandLineValue. Return value 1.
MSI (s) (BC:00) [14:45:09:163]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2459.tmp, Entrypoint: GetSumCredentialsFromCredStore
Action start 14:45:09: CredStore.GetSUMCredentials.
GetSumCredentialsFromCredStore:  Initialized.
GetSumCredentialsFromCredStore:  GetUsername operation results: 80131577
GetSumCredentialsFromCredStore:  Error 0x80131577: Failed to get username
CustomAction CredStore.GetSUMCredentials returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 14:45:09: CredStore.GetSUMCredentials. Return value 3.
Action ended 14:45:09: INSTALL. Return value 3.

 

Anyone else facing the same problem or has any clue to solve this issue?

 

Best regards,

 

R. Gorek



This thread was automatically locked due to age.
Parents
  • Hello R. Gorek,

    is the Sophos Credential Store service installed and running? If so, there should be an associated log in %ProgramData%\Sophos\Credential Store\.

    Christian

  • Heres the content from the log (XXXX is my admin-account):

     

    Logging Started 5180 2020-03-05@14-42-13-184
    2020-03-05 14:42:13.934 [INF] Service is starting...
    2020-03-05 14:42:13.950 [INF] Check that DP API is functioning correctly
    2020-03-05 14:42:13.981 [INF] DP API check succeeeded
    2020-03-05 14:42:13.981 [INF] Service has started
    2020-03-05 14:42:21.512 [INF] Read credential from store
    2020-03-05 14:42:21.512 [INF] 0 credential(s) found
    2020-03-05 14:42:21.528 [INF] Query store: 'Sophos Policy Evaluation Tool' - '2.2.3'
    2020-03-05 14:42:21.544 [INF] Get user name: 'SEC.DBUser' by 'NT-AUTORITÄT\SYSTEM'
    2020-03-05 14:42:21.544 [WAR] Credential not found: 'SEC.DBUser'
    2020-03-05 14:42:21.559 [INF] Query store: 'Sophos Policy Evaluation Tool' - '2.2.3'
    2020-03-05 14:42:21.559 [INF] Get user name: 'SEC.DBUser' by 'NT-AUTORITÄT\SYSTEM'
    2020-03-05 14:42:21.559 [WAR] Credential not found: 'SEC.DBUser'
    2020-03-05 14:42:21.575 [INF] Query store: 'Sophos Policy Evaluation Tool' - '2.2.3'
    2020-03-05 14:42:21.575 [INF] Get password: 'SEC.DBUser' by 'NT-AUTORITÄT\SYSTEM'
    2020-03-05 14:42:21.575 [WAR] Credential not found: 'SEC.DBUser'
    2020-03-05 14:43:32.800 [INF] Query store: 'SEC.Bootstrapper' - '5.5.2'
    2020-03-05 14:43:32.800 [INF] Get user name: 'SEC.DBUser' by 'xxxxxx'
    2020-03-05 14:43:32.800 [WAR] Credential not found: 'SEC.DBUser'
    2020-03-05 14:43:32.832 [INF] Query store: 'SEC.Bootstrapper' - '5.5.2'
    2020-03-05 14:43:32.847 [INF] Get password: 'SEC.DBUser' by 'xxxxxxx'
    2020-03-05 14:43:32.847 [WAR] Credential not found: 'SEC.DBUser'
    2020-03-05 14:45:09.226 [INF] Query store: 'SEC.ServerCA' - '5.5.2'
    2020-03-05 14:45:09.226 [INF] Get user name: 'SEC.SUMUser' by 'xxxxxx'
    2020-03-05 14:45:09.226 [WAR] Credential not found: 'SEC.SUMUser'
    2020-03-05 15:30:20.485 [INF] Query store: 'SEC.Bootstrapper' - '5.5.2'
    2020-03-05 15:30:20.501 [INF] Get user name: 'SEC.DBUser' by 'xxxxxx'
    2020-03-05 15:30:20.501 [WAR] Credential not found: 'SEC.DBUser'
    2020-03-05 15:30:20.532 [INF] Query store: 'SEC.Bootstrapper' - '5.5.2'
    2020-03-05 15:30:20.532 [INF] Get password: 'SEC.DBUser' by 'xxxxxx'
    2020-03-05 15:30:20.532 [WAR] Credential not found: 'SEC.DBUser'

  • Hello Eren777,

    different versions
    expected for a local database as it has already been upgraded. So no use to retry.

    Can you still use and work with5.5.1, are you able to open the console? Guess you don't want SEC to be unavailable while you're waiting for a reply.

    Christian

  • Yes 551 und console  is still working.

    I got a reply from the support: they asked me, if the sum updatemanager password includes special characters. The only special charakter ,which is included in the password, is the underscore charakter "_"

  • Hello Eren777,

    fine, no need to take action.

    What's special and what not ... wouldn't say that an underscore is special (wonder what "special" character Gorek uses). This would be somewhat dissatisfying, it's not that the password just sat there all the time just waiting for the deobfuscation to fail with the 5.5.2 upgrade. Changing the SUM password to test the "special character" theory might not be such a doddle - you'll have to amend the updating policies. As an aside - it looks like passwords will be taken out from the updating policy editor, you specify a username but its password is managed centrally so no need to amend umpteen policies. Just a guess.

    Christian

  • Hi,

     

    we do have special characters in our password. For testing purpose i've changed it to one with no special characters, but still the same issue.

     

    Best regards,

     

    Robby Gorek

  • Hi,

    i had the same problem. I tried a few times, at last step-by-step (thx for the snapshots ;-)

    My solution at this time: during installation of SEC 5.5.2 watch the services by services.msc in a second windows. Refresh the view by F5 all the time.

    In that moment the "Sophos Credential Store" service is beeing created open the properties of the service and change the "log on as" credentials to "local system".

    You have to do it quickly, before the installation process generates the error.

    At my systems it works. Now all components are on 5.5.2.

     

    Good luck!

    Marco

     

     

     

     

  • Hi Marco,

    Do you have Local Security Policy > Local Policies > User Rights Assignment > Log on as a service configured by Group Policy?  It might be the newly created SophosCSMSA$ account doesn't have this permission on your SEC server.

  • Hello,

    no, I didn't.

    At the moment it works with "local system", such as the most other services.

    It's not fine that there was no way to change the service account during the setup process and nothing to find about the account created by sophos in the manual.

    Our GPOs are managed by the domain, so changing the local policies would only help until they are updated.

    Regards,

     

    Marco

  • Hello Marco,

    You have to do it quickly
    a SEC install or upgrade is not Prince of Persia. There should be no need for auxiliary monitoring with rapid key-pressing and meticulously timed clicks. Did you get the GetSumCredentialsFromCredStore: No Sophos Credential Store Service found: 80070005 error in the Server64msi log? As far as I can see this CustomAction is only called when the deobfuscation fails (DeobfuscatePassword:  Deobfuscation skipped:) in which case assuring that the service runs wouldn't help as it had not yet stored the credentials at this point. Rather, I think, you got the error near the end where SaveToCredentialStore is called.

    The Sophos.Credential.Store.Service uses a Virtual Service Account (VSAs are not a new concept) NT Service\Sophos.Credential.Store.Service. Normally the Log on as a service right is assigned (amongst others) to NT SERVICE\ALL SERVICES. As MEric has suggested your group policy might not assign this right.

    Christian 

  • Hello Robby and Eren777,

    has the issue been resolved? Could you upgrade?

    Christian

  • Hi Christian,

     

    not yet. My issue has been escalated to the development team. I am still waiting for a response .

Reply Children
No Data