We'd love to hear about it! Click here to go to the product suggestion community
I have recently upgraded from the Sophos Enterprise Console 5.5.0 to 5.5.2 and I got an error Unable to install Sophos Credential Store Service and failed to upgrade to 5.5.2.
The SEC 5.5.0 is still there. The Under Programs and Features I find the Sophos Management Console and Sophos Management Server are still with version 5.5.0.
Could you please let me know how to fix this error and what I will do next to complete an upgrade to 5.5.2
Your assistance on this request would be extremely appreciated.
Are installing on a DC or Members Server?
In reply to moosey:
Sorry are you upgrading SEC on a DC or Members Server?
Hello Accounts Payable1,
how to fix this errorthe Sophos_CredStoremsi ....log in %ProgramData%\Sophos\Management Installer\ should have a more detailed description of this Unable to install.
The most common reason I've heard of this happening here is due to the "Logon as a service" rights being defined within your local or domain security policy. The Credential Store creates a new service account and attempts to start the service using that account as part of the installation process. If the local or domain security policy does not include "NT SERVICES\ALL SERVICES", the Credential Store service may fail to start.
Thank you for your response.
I used Domain Control to install (i.e: Domain Name\Administrator). Because I am working from home, so I used remote desktop to log in to our server to upgrade. Do you think there is any problems with this?
Thank you and look forward to your response.
T Doan (Accounts Payable1)
In reply to QC:
I also checked the Sophos_CredStoremsi log file as shown below.
MSI (s) (68:9C) [12:31:24:268]: Executing op: ActionStart(Name=StartServices,Description=Starting services,Template=Service: ) Set ACL for 'C:\Program Files (x86)\Sophos\Credential Store\'MSI (s) (68:9C) [12:31:24:268]: Executing op: ProgressTotal(Total=1,Type=1,ByteEquivalent=1300000)MSI (s) (68:9C) [12:31:24:268]: Executing op: ServiceControl(,Name=Sophos.Credential.Store.Service,Action=1,Wait=1,)MSI (s) (68:9C) [12:31:54:654]: Note: 1: 2205 2: 3: Error MSI (s) (68:9C) [12:31:54:654]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1920 MSI (s) (68:9C) [12:31:54:654]: Note: 1: 2205 2: 3: Error MSI (s) (68:9C) [12:31:54:654]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 MSI (s) (68:9C) [12:31:54:654]: Product: Sophos Credential Store -- Error 1920. Service 'Sophos Credential Store' (Sophos.Credential.Store.Service) failed to start. Verify that you have sufficient privileges to start system services.
Please let me know how to fix it and what I can do next to complete an upgrade.
In reply to MEric:
As I couldn't install the Credential Store service while upgrading and it terminated/stopped straight away from there. Please let me know how to fix this and what I can do next to complete an upgrade.
In reply to Accounts Payable1:
Hello T Doan,
1920 is a rather generic error, the timestamps suggest that the service start command timed out. Perhaps the Windows Event log has more information why the service didn't start.
I assume the installer has performed a rolleback. Has the Sophos Credential Store been removed or is it still there? Dunno to what extent the installer mops up, maybe it left the %ProgramData%\Sophos\Credential Store\ folder and the store.log behind.
Sophos Credential Store
Does NT SERVICES/ALL SERVICES exist if you run the following in an administrative command prompt? What you are looking for in the report is under Settings > Policies > Windows Settings > Security Settings > Local Policies User Rights Assignment > Log on as a service.gpresult /h C:\Windows\Temp\report.htmC:\Windows\Temp\report.htm
If this setting has been specified and NT SERVICES\ALL SERVICES is not listed, you will need to add it in. Open up Group Policy Management on your DC and modify the group policy applied to your SEC server. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Log on as a service. When adding the user, type in NT SERVICES/ALL SERVICES and click "OK", not Browse. Save this policy.
After saving, force the SEC server to retrieve this new policy by running gpupdate /force. Verify that NT SERVICES/ALL SERVICES now exists under the report by running the gpresult command mentioned at the start. If so attempt to run the installer again.
Thank you Christian.
After I got an error I checked the Sophos Credential Store has been removed and also the %ProgramData%\Sophos\Credential Store\ folder and the store.log was empty.
Yes I will follow your instructions to add NT SERVICES\ALL SERVICES to Group Policy Management. I would like to ask you I can run setup.exe file from the sec_552 install folder to continue upgrading to 5.5.2 (As I see Sophos Management Database version 5.5.2 has been installed the under Programs and Features) or I have to run sec_552_sfx.exe to start from the beginning to complete an upgrade 5.5.2
I can run setup.exe file from the sec_552 install folderyes, for subsequent attempts this is the right choice. the sfx does nothing more than extracting the archive to sec_552 and calling setup.exe.
Sophos Management Database version 5.5.2 has been installedyou'll run into the problem described in Installer has detected different versions of the components installed. This would be Scenario 1 in the article. Uninstall the Database component, re-run the Installer, it will offer to upgrade the other components (the Database will be greyed out). Do not forget to reinstall the Database component with the CREATE_DATABASES=0 argument even though there will be no future upgrades - if for whatever reason you re-run the Installer again it would otherwise let you (or someone else) tick the Database component, attempt to install it but fail. Might cause confusion.
Thank you for the update.
1 Question is the SEC 550 installed on a Domain Controller?
Thank you for the update.
I will do as what you mentioned and let you know the result after upgrading.
Yes it is installed on our Domain Controller.