FIM Service and Portal Installation Ends Prematurely RRS feed

  • Question

  • Hey Everyone, I've been installing FIM components on a customers production environment and I've run into a problem that I cannot solve. Before I get into the problem, let me give you a background of their environment. We recently installed FIM Sync on a separate machine. We have a DC machine. We have a SQL machine. On the machine I am working on, it is a Windows Server 2012. It has SharePoint Foundation 2013 and we are trying to install FIM Service and Portal on it. 

    The problem is that whenever we try to install the Service and Portal, the installation will start and will stop near the end, rollback, and says that the installation ended prematurely. I run a verbose logging because we are not receiving any errors anywhere and everything seems to be working. The error that I found in the verbose log is as follows:

    CustomAction SetPolicyforServiceAccount returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    Action ended 15:59:41: InstallExecute. Return value 3.

    After that, the system starts to roll back the installation. Does anyone have any idea what the issue is/how to fix it? If you need any clarification, please dont hesitate to ask. I'll try and respond as quick as I can.

    Thanks a lot!

    Friday, December 20, 2013 1:48 AM

All replies

  • Hello,

    never seen that error and it does not say anything to me, but how did you install and config the Sp 2013 ?

    Take a look and these article, all my installs went fine with this.

    in addition, maybe this helps too:

    also make sure to start the install from an elevated command prompt, just to make sure there is no permission error.


    Peter Stapf - Doeres AG - My blog:

    Friday, December 20, 2013 7:27 AM
  • Yeah, it is very strange. I go to the event viewer and there is no logs. All the SharePoint sites I try to go to seem to work. I actually have looked at both of those articles. I even uninstalled SharePoint and Re-Installed it according to the first article as well as the FIM Installation Guide ( Everything seems to check out correctly. And yes, I even run cmd as admin and try and install the service & portal. 

    It is very annoying because everytime I want to see if the installation will work now, I have to start the installation from the brggining and enter all the service accounts, passwords, etc.

    If anyone has any other ideas, it would be greatly appreciated. If this doesn't work, we will have to open a new case with microsoft but we have 4 cases a year (starting in November) and we have already used one up so I don't want to run out of them so quickly. They are very expensive to buy.

    Thanks for all your help,

    Ramiz Andoni

    Monday, December 23, 2013 2:14 PM
  • Run setup through msiexec with log option and look in log file - look for return value 3 and then information somewhere before it. Usually cause for such problems is easily to be found in the log. 

    Tomek Onyszko, memberOf Predica FIM Team (, IdAM knowledge provider @

    Monday, December 23, 2013 2:32 PM
  • Sorry but is that now what I have in the first post. I will post more of the logfile below. I bolded the return value 3 so you can see it easier. Can you locate the issue? (On a side note, I also tried to install BHOLD Core on another machine and it ended prematurely too):

    MSI (s) (24:38) [15:59:41:651]: Executing op: ActionStart(Name=SetPolicyforServiceAccount,,)
    Action 15:59:41: SetPolicyforServiceAccount. 
    MSI (s) (24:38) [15:59:41:651]: Executing op: CustomActionSchedule(Action=SetPolicyforServiceAccount,ActionType=11265,Source=BinaryData,Target=**********,CustomActionData=**********)
    MSI (s) (24:48) [15:59:41:667]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI1723.tmp, Entrypoint: SetPolicyforServiceAccount
    MSI (s) (24:0C) [15:59:41:667]: Generating random cookie.
    MSI (s) (24:0C) [15:59:41:667]: Created Custom Action Server with PID 8540 (0x215C).
    MSI (s) (24:B8) [15:59:41:682]: Running as a service.
    MSI (s) (24:B8) [15:59:41:682]: Hello, I'm your 64bit Elevated custom action server.
    CustomAction SetPolicyforServiceAccount returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    Action ended 15:59:41: InstallExecute. Return value 3.
    MSI (s) (24:38) [15:59:41:760]: Note: 1: 2265 2:  3: -2147287035 
    MSI (s) (24:38) [15:59:41:760]: User policy value 'DisableRollback' is 0
    MSI (s) (24:38) [15:59:41:760]: Machine policy value 'DisableRollback' is 0
    MSI (s) (24:38) [15:59:41:760]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1133739893,LangId=1033,Platform=589824,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
    MSI (s) (24:38) [15:59:41:760]: Executing op: DialogInfo(Type=0,Argument=1033)
    MSI (s) (24:38) [15:59:41:760]: Executing op: DialogInfo(Type=1,Argument=Forefront Identity Manager Service and Portal)
    MSI (s) (24:38) [15:59:41:760]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
    Action 15:59:41: Rollback. Rolling back action:
    Rollback: SetPolicyforServiceAccount

    Monday, December 23, 2013 4:19 PM
  • Any ideas guys?
    Monday, December 30, 2013 8:53 PM
  • Rami

    I would have to take a closer look at the code to verify this but based on the name of the custom action, I would think this is where setup is attempting to give the service account specific rights, such as 'log on as a service'. If you have a hardened environment from a security perspective, perhaps there are policies already in place that don't allow being able to do this. I would check your security event log as well on this machine, it might show a failure to assign permissions.

    As a possible test, you can assign this user right manually before attempting the install.

    Wednesday, January 1, 2014 8:13 AM
  • I recommend verifying the pre-requisites:

    I haven't messed with SP 2013 much, but if it is similar to 2010 you should also make sure the install account is a Site Collection Admin and Farm admin.

    Friday, January 3, 2014 7:23 PM
  • Hey, thanks both for the responses. This has been a bit tricky for me. I've installed this in the enviornment and it worked out okay. For this installation, I have followed the documentation for the Sharepoint 2013 Installation that you posted above (and checked it again to make sure) and configured the FIM Service service account as described in the documentation with all the necessary permissions. That is the frustrating part. I know that the service account is configured correctly.

    Could the error(s) I'm receiving mean anything else? Any other things I should double-check?

    Thanks again!


    Friday, January 3, 2014 10:12 PM