Hello,
Sophos Management Service can not start following this error:
*****
Windows could not start the Sophos Management Service service on local computer.
Error 0x80131604:0x80131604
*****
Sophos Enterprise Console; 4.5.1
Microsoft Windows 2008 R2 x64 standard
Thanks,
The description for Event ID 8004 from source Sophos Management Service cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Step: Enforcing the system invariants
Error: Runtime error
Data: 0x80131604 - Exception has been thrown by the target of an invocation.
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle._InvokeConstructor(Object[] args, SignatureStruct& signature, IntPtr declaringType)
at System.RuntimeMethodHandle.InvokeConstructor(Object[] args, SignatureStruct signature, RuntimeTypeHandle declaringType)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
at System.Security.Cryptography.MD5.Create(String algName)
at System.Security.Cryptography.MD5.Create()
at Sophos.Management.Hasher..ctor()
at Sophos.Management.Hasher.Create()
at Sophos.Management.Hasher.Create(Byte[] value)
at Sophos.Management.Hasher.GetHash(Byte[] value)
at Sophos.Management.Security.Secret..ctor(String str)
at Sophos.Management.Services.SecretStore.AddOrUpdateSecret(String ticket, String secret, Boolean encode)
at Sophos.Management.Services.SecretStore.AddSecret(String secret, Boolean encode)
at Sophos.Management.Services.SystemSecretCollector.AddSecret(String secret, Boolean encode)
****
I repair it and not solve problem
HI,
Did you set:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
Enabled to 0
Regards,
Jak
Edit:
I guess the GPO: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" controls the above registry key so you might need to change that at least in a policy linked to the OU where the SEC management server resides if that's how it was enabled?
Hi,
From the stack trace It looks like the management service uses: MD5CryptoServiceProvider which is not a FIPS 140 standard algorithm. That's not to say it's necessary insecure in doing so it just depends on why it's using it. I would think it could be switched for a SHA1 as a hash algorithm instead in the future. Maybe worth contacting Support and mentioning it.
Regards,
Jak
Hi
I'm "windows could not start the sophos management service on local computer" when i try to start it from services...
can you help
jak wrote:HI,
Did you set:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
Enabled to 0
Regards,
Jak
Edit:
I guess the GPO: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" controls the above registry key so you might need to change that at least in a policy linked to the OU where the SEC management server resides if that's how it was enabled?
Yes it was already set to 0
jak wrote:HI,
Did you set:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
Enabled to 0
Regards,
Jak
Edit:
I guess the GPO: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" controls the above registry key so you might need to change that at least in a policy linked to the OU where the SEC management server resides if that's how it was enabled?
I guess the problem is related to the fact that we were using SBS2008 and at the time SBE did not support the OS,
so we were given a special license to use the Enterprise console since it was the only product which supported the OS.
Now since the new SBE is out and we decide to remove the Enterprise console and install the new SBE but we are getting an error that the sophos management service could not be started
I would think the management service is taking exception to the unexpected database. The ESC and SBS databases are very similar but not to the point where you can point the management service at either. That being said there is no migration from SBS to ES unfortunately but we can do things before to minimize the churn required, e.g.. save you having to reprotect all the clients. Sadly at the moment I don't have quite enough information.
As a bit of information, the names of the Sophos databases are as follows for the different products:
SBS2 = SOPHOS2
SBS4 = SOPHOS4
ES 3 = SOPHOS3
ES4 = SOPHOS4
ES4.5 = SOPHOS45
So you can see SBS and ES4 have the same database name.
Before I suggest anything can you run:
OSQL -E -S .\SOPHOS -Q "SELECT Name from sysdatabases"
and post the results? I assume in the above command the instance in use is called SOPHOS.
The following 2 articles will help you to establish the instance name being used and the version of SQL it is contained within.
http://www.sophos.com/support/knowledgebase/article/113030.html
http://www.sophos.com/support/knowledgebase/article/113034.html
can you obtain this information also?
Also, what version of ES did you have, SEC 3 or SEC 4?
Do you have any other products such as PureMessage that are using the same database instance?
I'd like to suggest removing the existing database instance but I don't have enough information to know if this is safe. If you could I would, SBS will install a SOPHOS instance of SQL Express.
The process would be something like:
1. Backup the cert auth store
HKEY_LOCAL_MACHINE\SOFTWARE\[wow6432node]\Sophos\Certification Manager\CertAuthStore
2. Uninstall ES
3. Remove the database.
4. Reboot is probably a good idea
5. Check that the above backed up key is still present on startup. It should be but at least it's backed up if not. If it's not reimport it.
6. Install SBS
7. With the certificates being the same, the clients should start to appear in the SBS console as they message in.
Regards,
Jak
