none
MIM2016SP1 Service and Portal Install Error

    General discussion

  • I have been pulling my hair out with this for some time now. I have been searching only through various TechNet posts and a handful of other sites and i have yet to be able to get a successful install of the MIM2016 service. 

    My lab environment includes:

    Server 2016 DC

    Server 2016 MIM server (SQL2016, Sharepoint2016)

    Server 2012R2 MIM server (SQL2014, Sharepoint2013SP1) tried this since i couldn't get it to install on the 2016 server

    Server 2012R2 Exchange Server with 2013Sp1 installed

    Errors in log file

    Lots of these but they seem to be in any copy of the ISO that i download so i assume this is normal

    DEBUG: Error 2826:  Control ckboxUseSSL on dialog ExchAndCertificateDlg extends beyond the boundaries of the dialog to the right by 15 pixels
    The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2826. The arguments are: ExchAndCertificateDlg, ckboxUseSSL, to the right

    DEBUG: Error 2769:  Custom Action ValidateSyncAccount did not close 1 MSIHANDLEs.
    The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2769. The arguments are: ValidateSyncAccount, 1, 
    Action ended 13:31:34: ValidateSyncAccount. Return value 1.

    This seems to be the fatal error the installer experiences:

    CAQuietExec:  
    CAQuietExec:  URL reservation delete failed, Error: 2
    CAQuietExec:  The system cannot find the file specified.
    CAQuietExec:  
    CAQuietExec:  
    CAQuietExec:  Error 0x80070001: Command line returned an error.
    CAQuietExec:  Error 0x80070001: CAQuietExec Failed
    CustomAction DeleteResourceEndpointAcl returned actual error code 1603 but will be translated to success due to continue marking
    MSI (s) (C4:EC) [13:32:14:893]: Executing op: ActionStart(Name=RollbackAclResourceEndpoint,,)

    Also this error is listed:

    CustomAction AddServiceToPerformanceMonitors returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    06/01/2018 13:32:27.827 [5828]: Assembly Install: Failing with hr=80070005 at RemoveDirectoryAndChildren, line 393

    And then the final summery

    === Logging stopped: 6/1/2018  13:34:40 ===
    MSI (c) (E8:5C) [13:34:40:353]: Note: 1: 1708 
    MSI (c) (E8:5C) [13:34:40:353]: Product: Microsoft Identity Manager Service and Portal -- Installation failed.

    MSI (c) (E8:5C) [13:34:40:354]: Windows Installer installed the product. Product Name: Microsoft Identity Manager Service and Portal. Product Version: 4.4.1302.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.

    MSI (c) (E8:5C) [13:34:40:358]: Grabbed execution mutex.
    MSI (c) (E8:5C) [13:34:40:358]: Cleaning up uninstalled install packages, if any exist
    MSI (c) (E8:5C) [13:34:40:359]: MainEngineThread is returning 1603
    === Verbose logging stopped: 6/1/2018  13:34:40 ===

    I've searched and searched for any information on these but i haven't been able to really find much information on it so any help would be greatly appreciated. 


     
    Friday, June 1, 2018 6:21 PM

All replies

  • Can we talk about how you installed SharePoint? Before proceeding with the MIM Portal installation were you able to open the empty "MIM Portal" application site? 

    http://www.wapshere.com/missmiis

    Friday, June 8, 2018 10:09 PM
  • I followed the walk through here: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/configuring-mim-environment-for-pam using the following commands to install Sharepoint 2013 SP1

    Created the Web Application:

    $dbManagedAccount = Get-SPManagedAccount -Identity PRIV\Sharepoint
    New-SpWebApplication -Name "MIM Portal" -ApplicationPool "MIMAppPool" -ApplicationPoolAccount $dbManagedAccount -AuthenticationMethod "Kerberos" -Port 82 -URL http://PAMSrv12.PRIV.***.****.***

    Created the Site Collection:

    $w = Get-SPWebApplication http://PAMSrv12.PRIV.***.****.***:82
    New-SPSite -Url $w.Url -OwnerAlias PRIV\MIMAdmin -Template "STS#1" -CompatibilityLevel 14
    $s = SpSite($w.Url)
    $s.AllowSelfServiceUpgrade = $false
    $s.CompatibilityLevel

    And then disable the server side viewstate and SPTimerJob

    $contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;
    $contentService.ViewStateOnServer = $false;
    $contentService.Update();
    Get-SPTimerJob hourly-all-sptimerservice-health-analysus-job | disable-SPTimerJob

    Once these were ran i was able to browse to the site: http://PAMSrv12.PRIV.***.****.***:82 the only thing was that the page was not named MIM Portal at the top, it just had Team Site. From Site Settings>Title, Description, and Icon>And changed the Title to MIM Portal. 

    Monday, June 11, 2018 12:57 PM
  • This is my script. After running it I can see the empty "MIM Portal" site, and I only proceed with the Portal installation once I've checked that's ok. One thing I do notice is that I'm using compatibility level 15, and you've got 14.

    #Add SPF PSSnapin

    Add-PSSnapin Microsoft.SharePoint.PowerShell

    $Url = "http://mimportal.mydomain.com"

    $DBName = "SharePoint_Config_MIM"

    $DBServer = "MySQLServer\Instance"

    $SVCAccount = "MYDOMAIN\svc_mimsp"

    ## Create Web Application

    $dbManagedAccount = Get-SPManagedAccount -Identity $SVCAccount

    New-SpWebApplication -Name "MIM Portal" -ApplicationPool "MIMAppPool" -ApplicationPoolAccount $dbManagedAccount -AuthenticationMethod "Kerberos" -Port 80 -URL $Url -DatabaseName $DBName -DatabaseServer $DBServer

    ## Create SharePoint Site Collection

    $t = Get-SPWebTemplate -compatibilityLevel 15 -Identity "STS#1"

    $w = Get-SPWebApplication $Url

    New-SPSite -Url $w.Url -Template $t -OwnerAlias $SVCAccount -CompatibilityLevel 15 -Name "MIM Portal"

    ## Disable jobs

    $contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;

    $contentService.ViewStateOnServer = $false;

    $contentService.Update();

    Get-SPTimerJob hourly-all-sptimerservice-health-analysis-job | disable-SPTimerJob

    ## Check site opens

    start-process $Url


    http://www.wapshere.com/missmiis


    Tuesday, June 12, 2018 10:35 PM
  • So after you run this script you are able to install the service and portal without the install failing? I will give it a shot and report back.
    Wednesday, June 13, 2018 12:23 PM
  • No change. I apply this method to both my 2012R2 environment and my 2016 and received the same original error. 

    Playing around with the "Service and Portal.msi" install options i was able to get the portal to install without anything else selected but attempting to install the service always results in the same error and roll back action. 

    Wednesday, June 13, 2018 5:12 PM
  • I'm sure this is a dumb question - you're running msiexec from an Administrator command prompt, which desktop logged in as the same account you used to install SharePoint?

    I know that "extends beyond the boundary" message is normal - I've definitely seen that one.

    Not sure about the Sync account one - what did you give it as the Sync account? I always use the Sync Service service account for the MIM MA account, but according to the MS instructions it's supposed to be a different account, it's just I remember that causing a problem with one version many years ago, so I've stuck to using the Sync Service account ever since.


    http://www.wapshere.com/missmiis

    Friday, June 15, 2018 5:17 AM
  • Yes i am using the same account that i used to install sharepoint to run the msiexec.

    I am using Priv\MIMSync as the sync account and Priv\MIMMA for the management account.

    Service and Portal.msi entries

    - Left defaults on the database connection

    - entered my exchange server info 

    - generated a new self issued cert

    - MIM service account

           MIMservice

           PASSWORD

           PRIV

           MIMService@PRIV.***.****.***

    - Sync Server: PAMSrv12 (local server)

    - Management account: PRIV\MIMMA

    - MIM service server addres: PAMSrv12*

    - Sharepoint site collection: http://mimportal.priv.***.****.***

    - Did not edit the registration Portal URL

    - selected check boxes for opening ports and grant authenticated users aces to portal

    I cant come up with anything else to try, no mater what it ends in this error

    Friday, June 15, 2018 2:34 PM
  • Also just found this error in the log file, not sure if its anymore helpful

    Assembly Install: Failing with hr=80070005 at RemoveDirectoryAndChildren, line 396

    06/15/2018 11:16:04.773 [3108]: Detailed info about C:\Windows\assembly\tmp\WX3NQNQG\Newtonsoft.Json.dll

    06/15/2018 11:16:04.773 [3108]: File attributes: 00000080

    06/15/2018 11:16:04.800 [3108]: Restart Manager Info: 1 entries

    06/15/2018 11:16:04.801 [3108]: App[0]: (3108) Windows Installer (msiserver), type = 3 

    06/15/2018 11:16:04.801 [3108]: Security info:

    06/15/2018 11:16:04.801 [3108]: Owner: S-*-*-**
    06/15/2018 11:16:04.802 [3108]: Group: S-*-*-**

    06/15/2018 11:16:04.802 [3108]: DACL information: 4 entries:

    06/15/2018 11:16:04.802 [3108]: ACE[0]: Type = 0x00, Flags = 010, Mask = 001f01ff, SID = S-*-*-**

    06/15/2018 11:16:04.802 [3108]: ACE[1]: Type = 0x00, Flags = 010, Mask = 001f01ff, SID = S-*-*-**

    06/15/2018 11:16:04.803 [3108]: ACE[2]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-*-*-**
    06/15/2018 11:16:04.803 [3108]: ACE[3]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-*-*-**
    Action ended 11:16:04: InstallExecute. Return value 3.

    Friday, June 15, 2018 3:23 PM
  • Hi David,

    I had experience this issue and the cause was installation media for some reason corrupted and other thing I had to do was to make sure the User and Service account had full rights to create and own the DB.

    Also check if you are running with full admin rights on the server, make sure no lock down policies are applied.


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Wednesday, June 20, 2018 3:01 PM
  • Thanks for all the ideas so far but still no luck. I re-downloaded the install media, the user account used to install is a domain and local admin as well as a sysadmin to the db. Same goes for the service account (trying to completely rule out permission issues form the equation). 
    Wednesday, June 20, 2018 6:09 PM
  •  Hi,

    Have you verified if there is any Firewall in between and ports are opened for the FIM/MIM.

    Also any Group Policy lockdown? Delete any old folder related to Forefront from the program files and registry before reinstallation.


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Thursday, June 21, 2018 9:45 AM
  • No firewalls turned on.

    I am rebuilding my environment with the bare minimum to see if anything changes. 

    Monday, June 25, 2018 12:38 PM
  • Jimmy turns out that this was it. I rebuilt my entire environment (Corpdc, PRIVdc and my MIM server). I was using an Secure Host Baseline for my DCs, looks like it was a local policy that was blocking the install as that really all that was changed. With that being said, i  now need to reapply polices back to the environment. Is there a list somewhere of everything that MIM and PAM need to operate? thank you. 
    Tuesday, June 26, 2018 2:33 PM
  • Hi David,

    Yes you can apply the policy back to the server, however you can also follow the baseline guide over here.

    https://gallery.technet.microsoft.com/FIM-2010-Planning-security-4e2a7b2e

    As always if my posts and answers are helpful, please vote and mark as answer.



    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Tuesday, June 26, 2018 2:44 PM
  • I voted but i do not see a button to mark as answer. 
    Tuesday, June 26, 2018 2:50 PM