vivistaltd
asked on
RSA Secure ID on 2008 Domain Controller
Hi Experts,
I am having some problems getting the RSA SecureID client installed on a 2008 R1 domain controller.
The DC is for a new domain in a new forest and is running in 2008 R1 forest and domain functional levels. The server OS is 2008 Standard R1 32 bit.
The client successfully installs on member servers within the domain but when installing on the domain controllers the installation wizard get 90% though and then rolls back stating that installation failed.
I have consulted RSA support and they say that it is supported and will work, and that there must be a group policy stopping the installation. However, I only have the standard unaltered domain controllers GPO, and a WSUS settings GPO applied so cannot see any settings in the domain controllers GPO that would enforce a software installation restriction. The WSUS policy is a basic one that points the servers at our internal WSUS server for updates.
Has anyone experienced this problem before and could shed some light on it for me?
Thanks,
Phil
I am having some problems getting the RSA SecureID client installed on a 2008 R1 domain controller.
The DC is for a new domain in a new forest and is running in 2008 R1 forest and domain functional levels. The server OS is 2008 Standard R1 32 bit.
The client successfully installs on member servers within the domain but when installing on the domain controllers the installation wizard get 90% though and then rolls back stating that installation failed.
I have consulted RSA support and they say that it is supported and will work, and that there must be a group policy stopping the installation. However, I only have the standard unaltered domain controllers GPO, and a WSUS settings GPO applied so cannot see any settings in the domain controllers GPO that would enforce a software installation restriction. The WSUS policy is a basic one that points the servers at our internal WSUS server for updates.
Has anyone experienced this problem before and could shed some light on it for me?
Thanks,
Phil
The group Policy management tool can be used to run against an computer in your environment, it show a report of all GPO's effecting the computer and exactly how the computer is being effected (i.e. software restrictions if any)
Here is a screen shot of the tool and how to run the report.
Group-Policy-Management.png
Here is a screen shot of the tool and how to run the report.
Group-Policy-Management.png
ASKER
Thanks for the prompt response!
The firewall was enabled, but have now disabled it and the installation still fails. I have checked the group policy modelling again, and cannot see any software restrictions in place. Infact the settings that a member server gets (which the client installs successfully on) and a domain controller are very similar.
The only events that get logged in the event log are that of the MSIInstaller starting and then failing but doesnt give any other usefull information. Interestingly, the RSA software reports as version 7.0 even though its 7.0.1 :-)
Product: RSA Authentication Agent 7.0 for Microsoft Windows -- Installation operation failed.
(NULL)
(NULL)
(NULL)
(NULL)
7B41414546443535332D344432
thanks for the sugestions, do you have any more ideas? do you have RSA working in a 2008 environment?
Thanks,
Phil
The firewall was enabled, but have now disabled it and the installation still fails. I have checked the group policy modelling again, and cannot see any software restrictions in place. Infact the settings that a member server gets (which the client installs successfully on) and a domain controller are very similar.
The only events that get logged in the event log are that of the MSIInstaller starting and then failing but doesnt give any other usefull information. Interestingly, the RSA software reports as version 7.0 even though its 7.0.1 :-)
Product: RSA Authentication Agent 7.0 for Microsoft Windows -- Installation operation failed.
(NULL)
(NULL)
(NULL)
(NULL)
7B41414546443535332D344432
thanks for the sugestions, do you have any more ideas? do you have RSA working in a 2008 environment?
Thanks,
Phil
I don't have RSA installed for Windows 2008...
Can you turn off your antivirus temporally too? Just wondering if this is effecting the installation...
(still looking into this based on the error message you show)
Can you turn off your antivirus temporally too? Just wondering if this is effecting the installation...
(still looking into this based on the error message you show)
can you post the log?
Note: is there a log for the RSA agent itself?
Note: is there a log for the RSA agent itself?
ASKER
I have produced a log from installation, and it seems as though it is failing to copy the sdconf.rec into the destination folder (C:\Program Files\Common Files\RSA Shared\Auth Data). I have checked permissions on both the source and destination and the user I am doing the installation as has write permissions (it is a domain administrator).
Action 16:24:04: Rollback_SdconfRec.
Action 16:24:04: Install_SdconfRec.
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> ***** BEGIN *****
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> getting CustomActionData
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData returned 234
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData returned 0
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData is X|X|C:\Program Files\Common Files\RSA Shared\Auth Data\|C:\Users\{username removed}\Desktop\sdconf.re
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Installed? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Remove All? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Scheduled? true
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Rollback? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> File Destination Path = C:\Program Files\Common Files\RSA Shared\Auth Data\
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> File Source Path = C:\Users\{username removed}\Desktop\sdconf.re
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> sdconfrec File Name = sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Canonical Dest Path = C:\Program Files\Common Files\RSA Shared\Auth Data\sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> canonical source for sdconf.rec = C:\Users\ADMINI~1.SGP\AppD
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> It's either a fresh install or a rollback of an uninstall
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Failed to copy file. 0
Action ended 16:24:04: InstallFinalize. Return value 3.
Action 16:24:04: Rollback. Rolling back action:
Rollback: Install_SdconfRec
Rollback: Rollback_SdconfRec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> ***** BEGIN *****
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> getting CustomActionData
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData returned 234
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData returned 0
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData is X|X|C:\Program Files\Common Files\RSA Shared\Auth Data\|C:\Users\{username removed}\Desktop\sdconf.re
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Installed? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Remove All? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Scheduled? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Rollback? true
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> File Destination Path = C:\Program Files\Common Files\RSA Shared\Auth Data\
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> File Source Path = C:\Users\{username removed}\Desktop\sdconf.re
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> sdconfrec File Name = sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Canonical Dest Path = C:\Program Files\Common Files\RSA Shared\Auth Data\sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> canonical source for sdconf.rec = C:\Users\ADMINI~1.SGP\AppD
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> It's an uninstall. Delete the file from C:\Program Files\Common Files\RSA Shared\Auth Data\sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> ***** END *****
I will check if there are any differeces in permission on a member server.
Phil
Action 16:24:04: Rollback_SdconfRec.
Action 16:24:04: Install_SdconfRec.
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> ***** BEGIN *****
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> getting CustomActionData
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData returned 234
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData returned 0
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData is X|X|C:\Program Files\Common Files\RSA Shared\Auth Data\|C:\Users\{username removed}\Desktop\sdconf.re
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Installed? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Remove All? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Scheduled? true
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Rollback? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> File Destination Path = C:\Program Files\Common Files\RSA Shared\Auth Data\
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> File Source Path = C:\Users\{username removed}\Desktop\sdconf.re
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> sdconfrec File Name = sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Canonical Dest Path = C:\Program Files\Common Files\RSA Shared\Auth Data\sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> canonical source for sdconf.rec = C:\Users\ADMINI~1.SGP\AppD
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> It's either a fresh install or a rollback of an uninstall
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Failed to copy file. 0
Action ended 16:24:04: InstallFinalize. Return value 3.
Action 16:24:04: Rollback. Rolling back action:
Rollback: Install_SdconfRec
Rollback: Rollback_SdconfRec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> ***** BEGIN *****
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> getting CustomActionData
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData returned 234
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData returned 0
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> CustomActionData is X|X|C:\Program Files\Common Files\RSA Shared\Auth Data\|C:\Users\{username removed}\Desktop\sdconf.re
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Installed? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Remove All? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Scheduled? false
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Rollback? true
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> File Destination Path = C:\Program Files\Common Files\RSA Shared\Auth Data\
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> File Source Path = C:\Users\{username removed}\Desktop\sdconf.re
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> sdconfrec File Name = sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> Canonical Dest Path = C:\Program Files\Common Files\RSA Shared\Auth Data\sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> canonical source for sdconf.rec = C:\Users\ADMINI~1.SGP\AppD
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> It's an uninstall. Delete the file from C:\Program Files\Common Files\RSA Shared\Auth Data\sdconf.rec
~~~~~~ (RSA-LOG) :: Deferred_SdconfRec <=> ***** END *****
I will check if there are any differeces in permission on a member server.
Phil
if it is truely an access problem, I would expect to also see an error in the Security Log (event viewer). do you have auditing turned on? if not, turn it on this DC so that you get more information in the event viewer logs.
As a thought, you might want to copy the installation source files to the DC before starting the installation (total guess here)
As a thought, you might want to copy the installation source files to the DC before starting the installation (total guess here)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
oh... hmm, great trouble shooting... I'm glad you got this solved and for posting the resolution.
1) disable the firewall service on the DC (for testing) during the install... Just go into services and stop the service.
2) Start the install of RSA and go into the Event Viewer and look for errors that pop up. There might be some good information in the Application or System log (or even Security log) showing you what is going on.
3) if the problem continue, run the Group Policy Managent Tool to see the applied GPO';s against a machine: http://technet.microsoft.com/en-us/library/cc739934(WS.10).aspx