Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

RSA Secure ID on 2008 Domain Controller

Posted on 2010-01-04
9
Medium Priority
?
1,100 Views
Last Modified: 2013-12-04
Hi Experts,

I am having some problems getting the RSA SecureID client installed on a 2008 R1 domain controller.

The DC is for a new domain in a new forest and is running in 2008 R1 forest and domain functional levels. The server OS is 2008 Standard R1 32 bit.

The client successfully installs on member servers within the domain but when installing on the domain controllers the installation wizard get 90% though and then rolls back stating that installation failed.

I have consulted RSA support and they say that it is supported and will work, and that there must be a group policy stopping the installation. However, I only have the standard unaltered domain controllers GPO, and a WSUS settings GPO applied so cannot see any settings in the domain controllers GPO that would enforce a software installation restriction. The WSUS policy is a basic one that points the servers at our internal WSUS server for updates.

Has anyone experienced this problem before and could shed some light on it for me?  

Thanks,
Phil
0
Comment
Question by:vivistaltd
  • 6
  • 3
9 Comments
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 26170740
I haven't seen this specific problem.  However, you may consider a couple things.

1) disable the firewall service on the DC (for testing) during the install... Just go into services and stop the service.
2) Start the install of RSA and go into the Event Viewer and look for errors that pop up.  There might be some good information in the Application or System log (or even Security log) showing you what is going on.
3) if the problem continue, run the Group Policy Managent Tool to see the applied GPO';s against a machine: http://technet.microsoft.com/en-us/library/cc739934(WS.10).aspx
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 26171242
The group Policy management tool can be used to run against an computer in your environment, it show a report of all GPO's effecting the computer and exactly how the computer is being effected (i.e. software restrictions if any)

Here is a screen shot of the tool and how to run the report.
Group-Policy-Management.png
0
 

Author Comment

by:vivistaltd
ID: 26171556
Thanks for the prompt response!

The firewall was enabled, but have now disabled it and the installation still fails. I have checked the group policy modelling again, and cannot see any software restrictions in place. Infact the settings that a member server gets (which the client installs successfully on) and a domain controller are very  similar.

The only events that get logged in the event log are that of the MSIInstaller starting and then failing but doesnt give any other usefull information. Interestingly, the RSA software reports as version 7.0 even though its 7.0.1 :-)

Product: RSA Authentication Agent 7.0 for Microsoft Windows -- Installation operation failed.
   (NULL)
   (NULL)
   (NULL)
   (NULL)
   
   
   7B41414546443535332D344432422D344639382D393130332D3134333338383731424639377D

thanks for the sugestions, do you have any more ideas? do you have RSA working in a 2008 environment?

Thanks,
Phil
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 26171678
I don't have RSA installed for Windows 2008...

Can you turn off your antivirus temporally too?  Just wondering if this is effecting the installation...

(still looking into this based on the error message you show)
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 26171716
can you post the log?  

Note: is there a log for the RSA agent itself?
0
 

Author Comment

by:vivistaltd
ID: 26172447
I have produced a log from installation, and it seems as though it is failing to copy the sdconf.rec into the destination folder (C:\Program Files\Common Files\RSA Shared\Auth Data). I have checked permissions on both the source and destination and the user I am doing the installation as has write permissions (it is a domain administrator).

Action 16:24:04: Rollback_SdconfRec.
Action 16:24:04: Install_SdconfRec.
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> ***** BEGIN *****
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> getting CustomActionData
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData returned 234
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData returned 0
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData is X|X|C:\Program Files\Common Files\RSA Shared\Auth Data\|C:\Users\{username removed}\Desktop\sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Installed? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Remove All? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Scheduled? true
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Rollback? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> File Destination Path = C:\Program Files\Common Files\RSA Shared\Auth Data\
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> File Source Path = C:\Users\{username removed}\Desktop\sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> sdconfrec File Name = sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Canonical Dest Path = C:\Program Files\Common Files\RSA Shared\Auth Data\sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> canonical source for sdconf.rec = C:\Users\ADMINI~1.SGP\AppData\Local\Temp\sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> It's either a fresh install or a rollback of an uninstall
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Failed to copy file. 0
Action ended 16:24:04: InstallFinalize. Return value 3.
Action 16:24:04: Rollback. Rolling back action:
Rollback: Install_SdconfRec
Rollback: Rollback_SdconfRec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> ***** BEGIN *****
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> getting CustomActionData
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData returned 234
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData returned 0
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData is X|X|C:\Program Files\Common Files\RSA Shared\Auth Data\|C:\Users\{username removed}\Desktop\sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Installed? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Remove All? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Scheduled? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Rollback? true
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> File Destination Path = C:\Program Files\Common Files\RSA Shared\Auth Data\
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> File Source Path = C:\Users\{username removed}\Desktop\sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> sdconfrec File Name = sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Canonical Dest Path = C:\Program Files\Common Files\RSA Shared\Auth Data\sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> canonical source for sdconf.rec = C:\Users\ADMINI~1.SGP\AppData\Local\Temp\sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> It's an uninstall.  Delete the file from C:\Program Files\Common Files\RSA Shared\Auth Data\sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> ***** END *****

I will check if there are any differeces in permission on a member server.

Phil
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 26172519
if it is truely an access problem, I would expect to also see an error in the Security Log (event viewer).  do you have auditing turned on?  if not, turn it on this DC so that you get more information in the event viewer logs.

As a thought, you might want to copy the installation source files to the DC before starting the installation (total guess here)
0
 

Accepted Solution

by:
vivistaltd earned 0 total points
ID: 26301915
I have found a resolution to this problem. Although the user account I was doing the installation as is domain / builtin administrator unless the installation MSI is launched using "Run as administrator" the correct access isnt permitted to the "c:\program files\common files" directory. You cannot select "run as administrator" when clicking on the MSI, so launching a command prompt as administrator then running the msi from there results in a sucessfull install.

This isnt a problem on 2008 member servers, only domain controllers.

Thanks for your help and suggestions.

Phil
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 26303171
oh... hmm, great trouble shooting... I'm glad you got this solved and for posting the resolution.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question