Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Subscribers 1 subscriber
  • Views 8705 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Error code 1603 when upgrading from SEC 5.0 to 5.1

RBGE

Hi,

I'm currently trying to upgrade an existing SEC 5.0 installation to 5.1, but it's failing with an error 1603 message "Unable to install Management Server - The MSI terminated unexpectedly".  I've followed the steps on http://www.sophos.com/en-us/support/knowledgebase/114627.aspx and also had a look through another post here ( /search?q= 22257 ) but haven't yet found a definite solution.

The Sophos_bootstrapper... log file has the following at the end:

31/05/2012 12:57:30, INFO : Ended installing Database32.msi
31/05/2012 12:57:32, INFO : Installation of Database succeeded
31/05/2012 12:57:32, INFO : Verifying files in folder
31/05/2012 12:57:34, INFO : Target folder verification completed successfully
31/05/2012 12:57:34, INFO : About to install Server32.msi
31/05/2012 13:06:18, INFO : Processing INSTALLMESSAGE_ERROR or INSTALLMESSAGE_FATALEXIT message from MSI
31/05/2012 13:06:18, INFO : Deactivate state: Installing
31/05/2012 13:06:18, INFO : Activate state: Failing
31/05/2012 13:07:03, INFO : Installation of Server32.msi failed with error code: 1603
31/05/2012 13:07:03, INFO : Ended installing Server32.msi
31/05/2012 13:07:05, INFO : Installation failed with error code: 1603
31/05/2012 13:07:05, INFO : Deactivate state: Failing
31/05/2012 13:07:05, INFO : Activate state: Failed
31/05/2012 13:07:05, INFO : Entered Installation failed page.
31/05/2012 13:07:27, INFO : Opening logs folder: C:\Documents and Settings\All Users\Application Data\Sophos\Management Installer
31/05/2012 13:07:27, ERROR : Could not open temp folder. ShellExecute() returned error: 33 - The process cannot access the file because another process has locked a portion of the file.

which seems odd because nothing else is running on the server (logged in as domain administrator for the installation, and log files are being created in the temp folder).  Additionally, the Sophos_Server32msi... log file contains the following:

MSI (s) (38:9C) [13:05:51:981]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI8E.tmp, Entrypoint: InitializeDatabaseAndImportCertificates
SFXCA: Extracting custom action to temporary directory: C:\WINDOWS\Installer\MSI8E.tmp-SFXCA: Binding to CLR version v2.0.50727
Calling custom action EncryptionCustomActions!EncryptionCustomActions.CustomAction.InitializeDatabaseAndImportCertificates
InitializeDatabaseAndImportCertificates
About to call: Initialize
Succeeded: Initialize
Calling API function: CreateMiscClassInstance().
Completed API function: CreateMiscClassInstance().
About to call: Initialize
Succeeded: Initialize
About to call: InitializeDatabaseEx
Succeeded: InitializeDatabaseEx
About to call: AuthenticateOfficer
MSI (s) (38!64) [13:06:18:308]: Product: Sophos Management Server -- 1: You do not have sufficient rights to perform the action. Access is denied. 

Exception thrown by custom action:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> EncryptionCustomActions.SgnApiException: You do not have sufficient rights to perform the action. Access is denied.
   at EncryptionCustomActions.CustomAction.CallFunction(String functionName, Func`1 function, Session session, Base baseObject)
   at EncryptionCustomActions.CustomAction.InitializeDatabaseAndImportCertificates(Session session)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
   at System.RuntimeMethodHandle.InvokeMethodFast(Object target, Object arguments, Signature sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
   at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
MSI (s) (38:00) [13:06:20:418]: User policy value 'DisableRollback' is 0
MSI (s) (38:00) [13:06:20:418]: Machine policy value 'DisableRollback' is 0
Action ended 13:06:20: InstallFinalize. Return value 3.

which looks like there's a problem with importing the Safeguard certificate(???).  I don't have Safeguard Enterprise, just the standard version, but I do have a message in Enterprise Console saying my licence has been updated to the Data Protection Suite and have verified that the certificate passwords are entered correctly.

I suppose the obvious thing to try is to just forget about the encryption, but I'd really rather have it managed from the same console if possible - ideally importing the already encrypted machines.

Does anyone have any idea if I'm doing something wrong here?  Previous upgrades of both Safeguard Policy Editor and SEC have always gone without any problems until now.

Thanks in advance for any advice!

:25389


This thread was automatically locked due to age.
  • 0

    I'm having the same error.

    Upgrading from 5.0 to 5.1 and electing to import our safeguard clients.

    I have logged a support ticket with Sophos.

    :25417
  • 0

    Snap i have the same issue going from 4.7 to 5.1 with encryption, logged with Sophos support.

    :25433
  • 0

    HI,

    Do you have the Policy Editor installed on the same machine as the SEC Server? There should be a prerequisite check in the SEC Installer making sure the Policy Editor is not installed .  Do you have a full bootrap log from the install to see the result of the check?

    The installer logs are here:
    \programdata\sophos\Management Installer"

    or:
    "\Documents and Settings\All Users\Application Data\Sophos\Management Installer \"

    Regards,

    Jak 

    :25437
  • 0

    This post has been edited by moderator / Sophos Technical Support:-

    IMPORTANT

    Jak is asking if you had the Policy Editor installed.  He is NOT  advising that you uninstall the Policy Editor.  If you experience this problem, please do not uninstall the Policy Editor but contact Sophos Technical Support for further assistance. 

    jak wrote:

    HI,

    Do you have the Policy Editor installed on the same machine as the SEC Server?


    Yes, I do have Policy Editor installed on the same machine as SEC.  I never noticed anything in the upgrade guide regarding this (yes, I did actually read it :smileywink: ), but I'd be willing to try an upgrade after uninstalling it (thankfully the server is a VM, so when things go wrong, this is where snapshots come in handy).  I did have a look through the bootstrap log and found the following lines:

    31/05/2012 12:55:27, INFO : Running System Property Check: Sophos Safeguard Policy Editor installed on this computer...
31/05/2012 12:55:27, INFO : Product is not installed on local system. Upgrade code: {D4667A84-D644-40DA-8344-F1D9839C1BB4}
31/05/2012 12:55:27, INFO : System Property Check: Sophos Safeguard Policy Editor installed on this computer - PASSED

    I'll wait until later this afternoon when things are a bit quieter and give it a try after removing Policy Editor.

    Thanks for the advice!

    :25439
  • 0

    Thanks that worked for me although i did need to also manually create the SOPHOS51 and SOPHOSPATCH51 database and then run upgradedb.

    :25457
  • 0

    HI,

    Out of interest, what version of the policy editor is installed?

    Regards,

    Jak

    :25459
  • 0

    Same version here.

    Thought i had it all working but i get the following error now trying to open the default encrption policy

    Sophos.UIController.Extension.UIControllerException: The creator of this fault did not specify a Reason.
       at Sophos.Encryption.UI.EncryptionPolicyHandler.Edit(IntPtr parent, String name, String contentTag, IPolicyCallback policyCallback)
       at Sophos.UIController.Product.Policy.<>c__DisplayClass7.<EditPolicy>b__6()
       at Sophos.UIController.Product.Logging.LogMethod(MemberInfo method, Action func)
       at Sophos.UIController.Product.Policy.EditPolicy(IntPtr parent, String name, String contentTag, IPolicyCallback policyCallback)

    ----- [outer exception] -----
       -- error: 0x80004005 (Unspecified error)
       -- facility: Generic (System)

       at void __thiscall PolicyDialogViewer::ShowPolicy(struct ISMT_Policy *,class ATL::CWindow,const class bl::UIPermissions &,unsigned long,const class ProductReleaseData &,const class TranslationService &)
       at __w64 long __thiscall CPolicyTreeCtrl::OnEditPolicy(unsigned int,__w64 unsigned int,__w64 long,int &)
       at int __cdecl Run(int,class bl::CommandLine,enum bl::ConsoleType::Type)
       at int __stdcall wWinMain(struct HINSTANCE__ *,struct HINSTANCE__ *,wchar_t *,int)

    :25467
  • 0

    Well after removing Policy Editor, the upgrade completed fine.  However, it didn't import any of the existing encrypted machines or policies (I suspect as a direct result of removing Policy Editor) and I've had to revert the snapshot.  I can't risk a faulty laptop coming back and not being able to retrieve files from the hard drive.

    I suppose if I can redeploy the encryption software from the new version of SEC I should then be able to use the in-built recovery to do this (since I still have all the machine certificates)??  It's a bit risky, but I may take advantage of one of the upcoming public holidays to test this out.  Alternatively, I suppose I could just submit a support ticket and see if anything else can be done.

    Thanks for the suggestion jak - it did in fact work!

    :25477
  • 0

    Hi All,


    Thank you for starting the thread.  


    Firstly installations of the Policy Editor are not compatible with the SEC Server on the same computer.  The option to display the Encryption workflow in the Enterprise Console 5.1 installation should have been prevented on detection of the installed Policy Editor.  


    The current installer (setup.exe) only checks for the upgrade code: {D4667A84-D644-40DA-8344-F1D9839C1BB4}, the version of the Policy editor you must have is identifiable by the upgrade code: {D4667A84-DF44-40DA-8344-F1D9839C1BB4}.  Note the one character difference. 


    @RBGE: 

    Enterprise Console does not take over the data from the Safeguard DB.  You would need to do the following to make the transition using the same server:


    1. Install the Policy Editor on another computer and connect it to the existing SafeGuard DB.


    2. Verify that the newly installed Policy Editor is working.


    3. Uninstall the Policy Editor from the SEC Server (this does not delete the SafeGuard DB and the newly installed Policy Editor still keeps working - This way you can continue managing his clients during the transition period).
     

    4. Upgrade SEC including the encryption feature + import the existing certificates.  In SEC define Full Disk Encryption policies and assign them to the appropriate groups (they only take effect when doing the next step: protect computers)

    5.From SEC use the protect computers wizard to deploy a new encryption agent and make the agents to connect to SEC (the clients stay encrypted and are sending their key backup and status data to SEC). This should be first done with a single test client and then continued step-by-step for a group of clients (the other clients can be still managed from the Policy Editor during the transition period).

    The following guide should help:http://www.sophos.com/en-us/medialibrary/PDFs/migration/encag_561_lmgeng.pdf

    @John_S:
    I would suggest that you log a case with support including a Diagnose log (http://www.sophos.com/en-us/support/knowledgebase/33533.aspx) so they can investigate the cause of the error message you see.  I would also suggest ensuring that the file "EncryptionFEService.log" is included, this can be found here: C:\Documents and Settings\All Users\Application Data\Sophos\ManagementServer\log. or under C:\ProgramData\ depending on your OS. 

    Regards

    :25487