MBAM Installation Failing with MSI error code 1603


  • PoorFairFairAverageAverageGoodGoodExcellentExcellent
    I am trying to install the MBAM Administration and Monitoring Server on Windows Server 2008R2.  I have passed all the pre-requisite checks and have the database installed with reports successfully running on a separate SQL server instance.  I am not encrypting communications between the servers at this point as we just want to evaluate MBAM functionality.

    I have a local admin account I'm using to install the server components which has CRUD access on the SQL database instance.  There is a different service account running the SQL instance.  The local admin account I'm using was used to set all the prerequisites, but is not the System account.

    The wizard runs for a period of time before failing.  The error code appears to point to the need to run the setspn command.  However, it is not clear in the documentation what objects and services need to have the SPN set in order to make this installation succeed.  

    Any help is appreciated.

    In searching the MSI log, I see this with a Return Value of 3 (Excerpt from log):

    1: Publishing product information 
    Action ended 15:44:50: PublishProduct. Return value 1.
    MSI (s) (C8:D8) [15:44:50:142]: Doing action: InstallExecuteAgain
    Action 15:44:50: InstallExecuteAgain. 
    Action start 15:44:50: InstallExecuteAgain.
    MSI (s) (C8:D8) [15:44:50:158]: Running Script: C:\Windows\Installer\MSI33DF.tmp
    MSI (s) (C8:D8) [15:44:50:158]: User policy value 'DisableRollback' is 0
    MSI (s) (C8:D8) [15:44:50:158]: Machine policy value 'DisableRollback' is 0
    MSI (s) (C8:D8) [15:44:50:158]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1064402329,LangId=1033,Platform=589824,ScriptType=1,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
    MSI (s) (C8:D8) [15:44:50:158]: Executing op: ProductInfo(ProductKey={9161999C-E0D9-4418-8CFB-19D938A7F7F2},ProductName=Microsoft BitLocker Administration and Monitoring,PackageName=MBAE17D.MSI,Language=1033,Version=16778453,Assignment=1,ObsoleteArg=0,,,PackageCode={F6E01656-337A-4930-9BD0-EEACF4B5EB07},,,InstanceType=0,LUASetting=0,RemoteURTInstalls=0,ProductDeploymentFlags=3)
    MSI (s) (C8:D8) [15:44:50:158]: Executing op: DialogInfo(Type=0,Argument=1033)
    MSI (s) (C8:D8) [15:44:50:158]: Executing op: DialogInfo(Type=1,Argument=Microsoft BitLocker Administration and Monitoring)
    MSI (s) (C8:D8) [15:44:50:174]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
    MSI (s) (C8:D8) [15:44:50:174]: Executing op: SetBaseline(Baseline=0,)
    MSI (s) (C8:D8) [15:44:50:174]: Executing op: SetBaseline(Baseline=1,)
    MSI (s) (C8:D8) [15:44:50:174]: Executing op: ActionStart(Name=RegisterSPNRollback,,)
    Action 15:44:50: RegisterSPNRollback. 
    MSI (s) (C8:D8) [15:44:50:174]: Executing op: CustomActionSchedule(Action=RegisterSPNRollback,ActionType=3329,Source=BinaryData,Target=RegisterSPNDeferred,CustomActionData=Remove=True)
    MSI (s) (C8:D8) [15:44:50:189]: Executing op: ActionStart(Name=RegisterSPNDeferred,,)
    Action 15:44:50: RegisterSPNDeferred. 
    MSI (s) (C8:D8) [15:44:50:189]: Executing op: CustomActionSchedule(Action=RegisterSPNDeferred,ActionType=3073,Source=BinaryData,Target=RegisterSPNDeferred,CustomActionData=Remove=False)
    MSI (s) (C8:08) [15:44:50:377]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI3569.tmp, Entrypoint: RegisterSPNDeferred
    SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSI3569.tmp-\
    SFXCA: Binding to CLR version v2.0.50727
    Calling custom action MBAMServerCAs!Microsoft.Windows.Mdop.BitlockerManagement.SetupCAs.SPNRegistrar.RegisterSPNDeferred
    CustomAction RegisterSPNDeferred returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    Action ended 15:44:52: InstallExecuteAgain. Return value 3.
    Monday, November 21, 2011 10:19 PM

All replies

  • can you share the full setup log file?
    Manoj Sehgal
    Monday, November 21, 2011 10:21 PM
  • Monday, November 21, 2011 11:14 PM
  • Hello BoiseBear,

    have you a solution?


    Saturday, February 18, 2012 8:39 PM
  • No.  I believe it has something to do with registering a SPN, but it is unclear what needs to be registered.  We will install another instance next week and see if we can resolve the issue.
    Monday, February 20, 2012 1:57 PM
  • It appears that the SPN registry is due to a split namespace issue that we have internally.  We have a case open with Microsoft on resolving our split namespace issue, however, it would still be helpful if the MBAM install or troubleshooting guides gave guidance on which services and accounts need to have SPN registered.  That way, we could resolve our issues even when there is a split namespace in the environment.
    Tuesday, March 13, 2012 2:41 PM
  • can you check this:

    •Verify that the Domain Controller is available
    •Verify that the account used to install MBAM has “Write ServicePrincipalName” and “Write validated SPN” rights to the directory. You have this rights if you are a
    domain admin.

    Let me know if this works or not.

    Manoj Sehgal

    Wednesday, March 14, 2012 10:04 AM
  • We installed this by working around the split namespace issue and installing SQL local on the box for evaluation purposes.  We are looking to fix our split namespace long term so that the register SPN error will no longer be an issue for a more tiered architecture.

    Wednesday, March 14, 2012 1:10 PM