SUM updating problem. Error code 80040401.

Hi,

Does the error in the MSI look like this:

https://community.sophos.com/products/endpoint-security-control/f/3/t/2495

Can you logon to that computer as the account in question?

Regards,

Jak

Hi Jak,

Thank for your reply. Unfortunately, it's not the same error. I can logon to the SOPHOS_SERVER where SEC is installed with the domain account SophosUpdateMgr. Looking again at the latest MSI log file I found this:

Property(S): INSTALLDIR.AB2CCA78_E31E_4758_9EB0_BF5664C2EECF = C:\Program Files (x86)\Sophos\Enterprise Console\Remote Management System\
Property(S): REINSTALLMODE = vdmus
Property(S): PackagecodeChanging = 1
Property(S): ProductToBeRegistered = 1
Property(S): ProductState = 5
Property(S): PackageCode = {712AD231-3FB7-4437-907B-9BD0461AEF57}
Property(S): ARP_SUM_INSTALLSOURCE = C:\ProgramData\Sophos\Update Manager\Install\
Property(S): IS_NET_API_USERDATA = **********
Property(S): OSPRODUCT = Windows Server (R) 2008 Standard
Property(S): SUM_CID_FOUND = C:\ProgramData\Sophos\Update Manager\Update Manager\CIDs\
Property(S): SUM_WAREHOUSE_FOUND = C:\ProgramData\Sophos\Update Manager\Update Manager\Warehouse\
Property(S): AgreeToLicense = No
Property(S): _IsMaintenance = Reinstall
Property(S): RestartManagerOption = CloseRestart
Property(S): _SUMUserSelectionChoice = Default
Property(S): Display_IsBitmapDlg = 1
Property(S): ALLUSERS = 1
Property(S): ARPNOMODIFY = 1
Property(S): ARPPRODUCTICON = ARPPRODUCTICON.exe
Property(S): ARPURLINFOABOUT = http://www.sophos.com
Property(S): ApplicationUsers = AllUsers
Property(S): DefaultUIFont = Tahoma8
Property(S): DialogCaption = InstallShield for Windows Installer
Property(S): ErrorDialog = SetupError
Property(S): INSTALLLEVEL = 100
Property(S): InstallChoice = AR
Property(S): MSIDEPLOYMENTCOMPLIANT = 1
Property(S): MSIRESTARTMANAGERCONTROL = Disable
Property(S): MSIUSEREALADMINDETECTION = 1
Property(S): Manufacturer = Sophos Limited
Property(S): MsiHiddenProperties = IS_NET_API_LOGON_PASSWORD;IS_NET_API_USERDATA;IS_AddSUMDenyLogonPrivilege;IS_StoreSUMCredentials;IS_CreateSUMUser
Property(S): MsiLogging = voicewarmupx
Property(S): PIDTemplate = 12345<###-%%%%%%%>@@@@@
Property(S): ProductCode = {2C7A82DB-69BC-4198-AC26-BB862F1BE4D0}
Property(S): ProductID = none
Property(S): ProductLanguage = 1033
Property(S): ProductName = Sophos Update Manager
Property(S): ProductVersion = 1.6.0.2264
Property(S): ProgressType0 = install
Property(S): ProgressType1 = Installing
Property(S): ProgressType2 = installed
Property(S): ProgressType3 = installs
Property(S): RebootYesNo = Yes
Property(S): ReinstallModeText = omus
Property(S): SHOWLAUNCHPROGRAM = 0
Property(S): SOPHOS_UM_SHARE = SophosUpdate
Property(S): SUMRegistryRoot = SOFTWARE\Sophos\UpdateManager
Property(S): SUMUser = SophosUpdateMgr
Property(S): SecureCustomProperties = RMSINSTALLED;SCONSOLE4;ECONSOLE4;FCONSOLE4;NEWER_SUM_FOUND;SOPHOS_MSX86;SOPHOS_MSX64
Property(S): SetupType = Typical
Property(S): MsiLogFileLocation = C:\Windows\TEMP\MSI1b64e.LOG
Property(S): SUM_CLIENT = Sophos Management Server
Property(S): ARPINSTALLLOCATION = C:\Program Files (x86)\Sophos\Enterprise Console\SUM\
Property(S): CREATE_NEW_USER = 0
Property(S): IS_NET_API_LOGON_DOMAIN_TOKEN = SOPHOS_SERVER
Property(S): IS_NET_API_LOGON_USERNAME = SOPHOS_SERVER\SophosUpdateMgr
Property(S): IS_NET_API_LOGON_USERNAME_TOKEN = SophosUpdateMgr
Property(S): InstallShieldTempProp = 0
MSI (s) (08:74) [08:14:40:386]: Note: 1: 1729
MSI (s) (08:74) [08:14:40:386]: Product: Sophos Update Manager -- Configuration failed.

MSI (s) (08:74) [08:14:40:387]: Windows Installer reconfigured the product. Product Name: Sophos Update Manager. Product Version: 1.6.0.2264. Product Language: 1033. Reconfiguration success or error status: 1603.

MSI (s) (08:74) [08:14:40:388]: Deferring clean up of packages/files, if any exist
MSI (s) (08:74) [08:14:40:389]: MainEngineThread is returning 1603
MSI (s) (08:48) [08:14:40:389]: No System Restore sequence number for this installation.
=== Logging stopped: 6/23/2016 8:14:40 ===
MSI (s) (08:48) [08:14:40:393]: User policy value 'DisableRollback' is 0
MSI (s) (08:48) [08:14:40:393]: Machine policy value 'DisableRollback' is 0
MSI (s) (08:48) [08:14:40:393]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (08:48) [08:14:40:393]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (08:48) [08:14:40:393]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (08:48) [08:14:40:394]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (s) (08:48) [08:14:40:394]: Restoring environment variables
MSI (s) (08:48) [08:14:40:396]: Destroying RemoteAPI object.
MSI (s) (08:40) [08:14:40:396]: Custom Action Manager thread ending.
MSI (c) (2C:80) [08:14:40:397]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (2C:80) [08:14:40:398]: MainEngineThread is returning 1603
=== Verbose logging stopped: 6/23/2016 8:14:40 ===

It's like SUM is trying to install with the local SophosUpdateMgr account of the SEC computer instead of using domain administrative account.

Hello msavignac,

sorry for the late reply. Now this is just the Properties dump and doesn't show the location of the actual error - anyway I assume it's probably the IS_ValidateDomainToken custom action, preceded by IS_ParseStoredUserData which reads the account information from from the UserData value in HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2C7A82DB-69BC-4198-AC26-BB862F1BE4D0}, the tokens are Server;Domain;Username.
This value is set at initial install (could be modified with an interactive re-install). Wonder how it got there if indeed a local SophosUpdateMgr account doesn't exist. You should find the same account in system.xml under <ImpersonationAccount> in SUM's program directory - ARPINSTALLLOCATION in the MSI log (in your case it's somewhat surprisingly \...\Sophos\Enterprise Console\SUM\, thought some upgrade has moved it to \...\Sophos\Update Manager\). Before suggesting further action I'd like to verify the existing configuration and data.

Christian 

Hi Christian, 

The values of UserData (NFBMGM;NFBMGM;SophosUpdateMgr;0;)

from HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2C7A82DB-69BC-4198-AC26-BB862F1BE4D0}

are not correct for the last 2 tokens (Domain;Username). The Domain is set to the NetBIOS network name of the machine where SEC is installed (NFBMGM) and the UserName is SophosUpdateMgr which is a domain account (not local) without administratives priviledges! There is no SophosUpdateMgr local account on the machine where SEC is installed.

Same in system.xml (from C:\Program Files (x86)\Sophos\Enterprise Console\SUM ) :

<ID>__IMPERSONATIONACCOUNT__</ID>
<Username>NFBMGM\SophosUpdateMgr</Username>

Hello msavignac,

I don't think that SEC/SUM changes this account by itself, looks like a local account has been used during install. Now, SUM doesn't need this account to deploy the CIDs, thus normally you might not notice. What account is used in your updating policies (note that there is no requirement that it's the SUM account)?

Can't tell (at least right now) whether the SEC installer asks for both (Database and SUM) accounts if you re-run (you can do this "same-version") it . Otherwise, unless forbidden by policy, I'd simply the account locally create as a temporary workaround - you'd have to change the password in system.xml in this case.

Christian

QC said:

looks like a local account has been used during install.

Weird, because I always used my administrative account (Domain Admin + sysadmin on the SQL DB).

QC said:

lWhat account is used in your updating policies (note that there is no requirement that it's the SUM account)?

Domain\SophosUpdateMgr

I'll try running the SEC installer again and I'll keep you informed.

Marc

Hello Christian,

I ran the installer for SEC 5.4.0 again. It asks only for the Database account and the port (80 by default, no error message if it was already in use). The installer did not throw any error message and completed successfully.

Unfortunately, same problem :-(

--
Marc

Hello Marc,

used my administrative account
the installer asks for the Database and the SUM account on an initial install (sorry, wasn't sure about the reinstall - obviously, and on second thoughts not quite unexpectedly, you can't change it afterwards with the installer), the SUM account should not have any special rights.

As the account in the registry can't get accidentally changed I'd conjecture the initial install was performed with a local user ... but you'd remember the necessary actions (changing the policies, removing the local account) to get to the current state and anyway the installer/self-updater should have complained in the past. It's a mystery.

Please check the security on %ProgramData%\Sophos\Update Manager\Update Manager\, it should have an explicitly set Read & execute for Domain\SophosUpdateMgr (a residual SID instead of a name with the same rights would indicate that a local user could have existed). If you can't or don't want to (re-)create the local account (it won't affect the existing policies, make sure the Default updating policy also uses the domain account) then it should (don't take my word for it - I haven't tested it!) be possible to make the installer happy by changing the registry value and system.xml to the domain account. 

Christian

Hello Christian,

I think we might be on something. Effectively, there was an orphan SID ...

http://i.imgur.com/2IdaHIG.png

I added the Read and Execute NTFS permissions for the Domain\SophosUpdateMgr on the %ProgramData%\Sophos\Update Manager\Update Manager\ directory.

I'll continue to monitor the server and event log and keep you informed.

--
Marc

Hello,

I have basically the exact same problem, with the same cause and message in the MSI log ... SEC 5.4 on 2008R2 64-bits, and the SUM update fails with 1603.

The reg key and the system.xml both were referring to the local machine name and a local user account that don't exist MACHINENAME\SophosUpdateMgr. Could be the local account was later deleted, but I suspect not ... I'm pretty sure I did this a while back ...

I used the obfuscation tool and instructions to update system.xml with the correct domain\username (domainname\username, where username is NOT SophosUpdateMgr) and the obfuscated password. Restarted the SUM service, but no dice, still the same problem. Rebooted the machine, still nothing.

The default updating policy for endpoints DOES have the correct credential, and endpoints are using that account without issue and getting definition files OK.

The directory containing CIDs and Warehouse has the proper permission (read/execute) for the right user account.

Current SUM version 1.5.8.11.

Help?? Thanks!