- Microsoft Identity Manager 2016 Service Pack 1 (4.4.1302.0)
- Service and Portal Installation
- Microsoft Windows Server 2016
PROBLEM SCENARIO DESCRIPTION
- In this scenario, we are attempting to execute an installation of the Service and Portal on a Windows Server 2016 machine and it is failing.
|NOTE||It is always recommended to troubleshoot an installation failure, to obtain a Windows Installer Verbose Log.
How to get a windows installer verbose log?
Documentation (Knowledge Base Article): https://support.microsoft.com/en-us/help/223300/how-to-enable-windows-installer-logging
Review a windows installer verbose log
WINDOWS INSTALLER ERROR MESSAGE
MSI (s) (C4:48) [12:05:12:740]: Executing op: ActionStart(Name=InstallCerts,,)
Action 12:05:12: InstallCerts.
MSI (s) (C4:48) [12:05:12:740]: Executing op: CustomActionSchedule(Action=InstallCerts,ActionType=11266,Source=BinaryData,Target=**********,)
CustomAction InstallCerts returned actual error code 5 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (C4:48) [12:05:12:990]: Note: 1: 1722 2: InstallCerts 3: C:\Windows\Installer\MSIC26E.tmp 4: **********
Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action InstallCerts, location: C:\Windows\Installer\MSIC26E.tmp, command: **********
MSI (s) (C4:48) [12:07:57:707]: Product: Microsoft Identity Manager Service and Portal — Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action InstallCerts, location: C:\Windows\Installer\MSIC26E.tmp, command: **********
KEYWORDS IN WINDOWS INSTALLER ERROR MESSAGE
Failing on Windows Installer Custom Action InstallCert
CustomAction InstallCerts returned actual error code 5
PROCESS MONITOR LOG
- Review the properties of one of the Access Denied lines and you will find on the Process Tab the account that is executing the action. In this case, it is the NT AUTHORITY\SYSTEM account.
- While one of those lines is highlighted, from the Event Menu, select Jump To (or Press CTRL+J) and it will take you to the location in question.
- We reviewed the folder permissions for the MachineKeys folder under %programdata%\Microsoft\Crypto\RSA and found that it contained the NETWORK SERVICE account.
|NOTE||It is recommended that you keep the default permissions on this folder, as changing it may cause problems when attempting to add Private Keys.
Default Permissions for the Machine Keys folders: https://support.microsoft.com/en-us/help/278381/default-permissions-for-the-machinekeys-folders
- Removed the NETWORK SERVICE account from the Security Tab of the %programdata%\Microsoft\Crypto\RSA\MachineKeys folder.
Other installation Support Blogs
- Support-Tip: (INSTALLATION): Installation Companion – Accounts: https://blogs.technet.microsoft.com/iamsupport/2018/05/09/support-tip-installation-installation-companion-accounts-reference/
- Support-Info: (INSTALLATION): Troubleshooting MIM Service/Portal Install/Upgrade IsSharePointAdminServiceRunning Error: https://blogs.technet.microsoft.com/iamsupport/2018/04/26/support-info-installation-troubleshooting-mim-serviceportal-installupgrade-issharepointadminservicerunning-error/
- Support-Info: (INSTALLATION): Sync Engine fails to uninstall: Microsoft Identity Manager Synchronization Service was not successfully installed: https://blogs.technet.microsoft.com/iamsupport/2018/04/25/support-info-installation-sync-engine-fails-uninstall-microsoft-identity-manager-synchronization-service-was-not-successfully-installed/