This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SBS 2008 - Exchange 2007 - Unable to Install PureMessage 3.1.3

Hi all

I'm new to the forum so please bear with me.

Basically before i joined the company we had version 3 of Sophos PureMessage installed, along with the Enterprise Console and the AV solution. However this expired some time ago and we have been using an alternative AV, PureMessage has continued to do a good job though of catching a good majority of the spam before getting to Exchange.

I have managed to get the green light to update to the latest version of PureMessage for Exchange 2007 which currently is 3.1.3, however when i goto do this it refuses to update, citing an issue with: Logon Failure: unknown user name or bad password even though i am logged on as a domain administrator. When we do eventually get this error though it mentions in the error message box that it can't contact the AD/LDAP server. I've spent hours on this trying to resolve it, but without much luck. I'm even in contact with the 2nd/3rd line support teams who don't seem to know what to do either.

Basically we had an old version of Sophos PureMessage (v3.0) on our SBS 2008 server running Exchange 2007, and we wanted to upgrade this to 3.1.1. That in itself is fine, however during the installation no matter what we seemed to do it wouldn't upgrade to the new version. We have now uninstalled PureMessage in order to install it again from scratch.

However the same problem now happens on a new installation. During the setup process it asks to create a new password for the predefined user of 'SophosPureMessage' but according to the error message the password complexity requirements don't meet what the domain wants - even though i have entered passwords as long as 15-20 characters and include alphanumeric, uppercase, lowercase, multiple special characters. What we have tried is creating a network user of SophosPureMessage manually instead which then lets us past this stage, however the setup will fail during the last stages of the setup as it says it is unable to contact the AD domain because of logon failure. However we know that the AD domain is contactable as all other domain services work fine (DNS, Email, Logon etc).

Our server is configured to run using a domain format of XXX.local, however the error message doesn't include the '.local' in the error message of the installer. It just says unable to contact XXX.

I have been working with the 3rd line teams for Sophos support who have been very good, but we aren't getting anywhere after more then a week. What they did suggest is running a VBS script which had the following, because of the problem. For now i am just putting XXX to substitute our own domain name.
======================
const ADS_SECURE_AUTHENTICATION = &H0001

Set oDSP = GetObject("LDAP:")
Set obj = oDSP.OpenDSObject("LDAP://XXX/rootDSE",vbNullString,vbNullString,ADS_SECURE_AUTHENTICATION)
WScript.Echo obj.Get("configurationNamingContext")
======================

Using command prompt, we then run the following command (with elevated privileges) on the root of C: cscript test.vbs > test.txt

We are getting an error that came back with: c:\Test.vbs(4, 1) (null): Logon failure: unknown user name or bad password.

I have done an NSLOOKUP command for our domain are the following is returned:

c:\>nslookup XXX
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  fe80::5be1:f55d:a87f:965a

Name:    XXX.XXX.local
Address:  10.0.0.32

Does anyone know why, or more importantly how to fix this error at all?? Some forums have suggested turning on IPV6 but this is already switched on so i don't believe this is the issue.

 Other things that i can confirm:
- Being an SBS server this is the only domain controller on the domain
- We are logging on as a domain administrator
- The server doesn't run DHCP



This thread was automatically locked due to age.
  • I have exactly the same problem. In my case, we were migrating from another Antispam product and doing a clean installation of Puremessage. During the installation process, the installer tries to create a user domain\SophosPureMessage. You move to the dialogue to create a password and the installation fails with a message that the password doesn't meet complexity requirements. In spite of the fact that password complexity has been disabled, no password, no matter how complex will work. Like BenDance, I tried manually creating the user in Active Directory. In this case, the installer proceeds past the initial screens but fails just as installation is about to commence with an error that the user is unable to authenticate.
    I have had exhaustive communications with SOPHOS support without success. Ironically, every other application and installation I try is successful including SOPHOS Enterprise Console and, of course our previous SPAM application, Symantec Mail Security for Microsoft Exchange.
    I have had Microsoft experts look into the Windows application (SBS 2008) no anomalies were found. I can only conclude that there is some fundamental flaw with the Pure Message installer that causes this problem. Annoyingly, it is not possible to make any changes to the name or domain settings for the user xxxx\SophosPureMessage. I suspect that the installer is not using the full domain name i.e. SophosPureMessage@xxxx.com or xxx.local\SophosPureMessage and the user (person installing the package) has no control over this.
    I have installed Sophos Puremessage on several SBS 2011 servers without a problem. I have also installed on Server 2008 R2 Standard Domain Controller with Exchange 2010 installed without issue. Also Server 2012 R2 with Exchange 2013 is OK.
    I am really worried that I have several clients with SBS 2008 that I am about to install Puremessage on that this problem will arise again.
    Can anyone categorically confirm that they have successfully installed Puremessage on SBS 2008 Standard? Maybe the SOPHOS developers need to look very closely at this glitch.
  • Hi everyone,
    If you manually create the puremessage AD user and then grant it rights to log on as a service....does it help?

    Local security Policy -> local Policies -> user rights assignment -> log on as a service. : add domain\sophospuremessage


    Thanks
  • Can you browse your domain using the netbios name?

    \\domainnetbiosname

    if not, create a hosts entry on the server and point its IP address to the domain netbios name.

    xx.xx.xx.xx domainnetbiosname

    Run the setup again

    Hope it helps!
  • Hi Ziggyedman

    I have tried what you have suggested and i am able to get to our SBS server main shares ok, but this still doesn't work during the install process. Any further ideas?
  • Hey Ben and Hugh!

    Are you trying to install PME 3.1.1?

    The latest PME version to use with Exchange 2007/2010 is 3.1.3.

    Download and install 3.1.3

    Do the following steps before the installation attempt:

    Download PureMessage Support Tools:PureMessage 3.1 & 4.x: downloads.sophos.com/.../pmex_31_support_tools.zip
    Create the folder: c:\PMDEBUGLOGS
    Open the downloaded support tools folder -> ICDebugregistryKeysdouble click on pmdebuglogs.reg - this will load some keys into windows registry: HKEY_LOCAL_MACHINE\SOFTWARE\SOPHOS\PMDebugLogs
    Open the key HKEY_LOCAL_MACHINE\SOFTWARE\SOPHOS\PMDebugLogs, right click PMDebuglogs and create a new REG_DWORD named "EnableLogging". Set it value to 1
    Re-run the puremessage setup and when it fails, check the logs inside c:\PMdebuglogs. The recent files must show the error (maybe this one PMInstallUtil-xxxx log)...open the files and search for ERR

    post the errors.

    There's a more complex procedure we can try for the "Failed to Create User account. Ensure the password satisfies complexity requirements" but it would be interesting to see what's being logged.

    Thanks guys! Hope this helps

  • Others have suggested this but I didn't quite understand what was required. However, the problem is that there appears to be a quirk with the the PureMessage installer where it sometimes has difficulty connecting to the LDAP server. In most cases and especially in my case. That is the server onto which I am trying to install Pure Message.

    I have now encountered the problem on two different SBS2008 servers and I have had success with both.

    The solution:

    For example if the full server name is SERVER.XYZ.COM.AU then put a record in the host file stating the internal IP address of the server

    E.g.

    192.168.16.1.       Server.xyz.com.au

    Run the installation of PureMessage and. You should be good to go.

    P.S.

    There was one other line that I put in the host file.

    My domain xyz.com.au has a shortened form which goes in front of the username. Let’s say the username is SophosPureMessage and the domain is xyz.com.au. In my case the shortened form of the domain name is xz. So the username will be xz\SophosPureMessage.

    In the host file I also put a line:

    192.168.0.1         xz

    I didn’t think that this was the relevant line but, since you are having the issue still, then it must be necessary for that second line to be there. To be honest, I didn’t check which line was the relevant one. I was just so elated that I got a result after three months of trying.

  • Hi Ziggy

    Thanks for the tip.  Almost worked. I have now resolved the issue twice with a host file record. See my post below.

  • Hi Hugh

    Thanks for your feedback. I have given this a go on our SBS (I'm logged on with a different account on Sophos forum at the moment) but this still doesn't work for me - even after adding the line to the bottom of the hosts file.

    I have again got all the way to the end of the install, but it has failed with: "Setup was unable to create the user account for the PureMessage services. Error details: Cannot contact the LDAP. This error could be caused by a failure to resolve or contact the AD server (named 'XXX')"

    Then once the error message has been submitted we then get another error message that says:
    "Error code 1603 was returned when running:
    C:\Windows\SysWOW64\msiexec.exe
    ADDLOCAL=ClientInstall,ClientServerInstall,ServerExchangeStore,ServerInstall,ServerMain,ServerAntiSpam /qb /lvoicewarmupx!
    C:\Users\admin\AppData\Local\Temp\MsiPureMessage-20160413151833.log
    SETUP_INIPATH=C:\Users\admin\AppData\Roaming\PureMessageSetup.ini REBOOT=Supress TRANSFORMS=:1033 /i "F:\PureMessage\PM\Sophos PureMessage.msi"

    The only thing i don't seem to be able to do is allow the user to run as a local service though? I'm not sure whether this would force the installation to fully stop though?

  • Just to advise that this is now resolved, after trying various different things i eventually concluded that whatever i had done previously with the hosts file, i must have done wrong as i edited the hosts file again and this then installed without a problem!

    The reason for this is because the domain used to run on just something like XXX, however this was changed at some point by a predessor to XXX.LOCAL and for one reason or another the PureMessage installer was still trying to reference the original XXX domain. At a guess i'd say it is probably pulling this information from the registry somewhere where there is still an old reference. Highly annoying but i got there in the end.

    The hosts file reference i used last time included the full IP address of the network adapater, however on this occasion i have put the loopback address of 127.0.0.1 along with the original XXX domain.

    I will mark this as solved now. Thanks all!