Support-Tip: (INSTALLATION): EXO Configuration Failure during installation

PRODUCTS INVOLVED

  • Microsoft Identity Manager 2016 Service Pack 1
  • Exchange Online

PROBLEM SCENARIO DESCRIPTION

When attempting to install MIM 2016 SP1 you may get the following error message when configuring a federated account. This can be caused by local security policies that are configured during server setup.

If you do see this message confirm that the MIMService account is not denied access to the computer from the network

NOTE How to get a windows installer log of the Service and Portal installation?

  1. Ensure that you have a Temp folder on Drive C
  2. Open an Administrative Command Prompt
  3. Navigate to the Installation Media
  4. Execute the following command-line
    msiexec /i “Service and Portal.msi” /l*v C:\Temp\ServicePortalInstalllog.txt
  5. Compress and send the ServicePortalInstalllog.txt

 

WINDOWS INSTALLER LOG EXCEPTION

——————————————————————————————————————–

NOTE How to locate the Windows Installer Exception?

  1. In the log file, look for the words Return Value 3
  2. Review the information just above Return Value 3

 

Calling custom action Microsoft.IdentityManagement.ServerCustomActions!Microsoft.IdentityManagement.ServerCustomActions.CustomActions.delayExchangeOnlineAccountPassword

Exception thrown by custom action:

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. —> System.Exception: Failed logon user while attempting to impersonate user: MIMService

at Microsoft.IdentityManagement.ServerCustomActions.Impersonator.Impersonate(String domain, String userName, String password)

at Microsoft.IdentityManagement.ServerCustomActions.CustomActions.Encrypt(String accountDomain, String accountName, String accountPassword, String unencryptedString)

at Microsoft.IdentityManagement.ServerCustomActions.CustomActions.EncryptExchangeOnlineAccountPassword(Session session)

— End of inner exception stack trace —

at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)

at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks)

at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)

at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)

CustomAction EncryptExchangeOnlineAccountPassword returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

Action ended 21:41:19: EncryptExchangeOnlineAccountPassword. Return value 3.

Action ended 21:41:19: INSTALL. Return value 3.

 

RESOLUTION STEPS

  1. From a command-prompt or the Run Window type secpol.msc to open the Local Security Policy
    1. From the Domain, it would be GPO
  2. Navigate to Local Policies > User Rights Assignment > Deny Access to this computer from the network
  3. If the Service Account for the MIM Service Account resides there, then remove it
  4. From an Administrative Command-Prompt, type gpupdate /force

ADDITIONAL INFORMATION / RESOURCES

Product Documentation:
https://docs.microsoft.com/en-us/microsoft-identity-manager/prepare-server-ws2016
    • It is important to note, that the documentation recommends that the service accounts be added to this Local Security Policy.
    • It is not recommended at this point to add it back after the installation, as it will affect the Exchange Online related items.
[BLOG]: Support-Tip: (INSTALLATION): Installation Companion – Accounts Reference:
https://blogs.technet.microsoft.com/iamsupport/2018/05/09/support-tip-installation-installation-companion-accounts-reference/
    • This blog provides information on the accounts needed for a MIM installation.