Concerns an issue with installing the Microsoft Forefront Identity Manager 2010 product. The backend Microsoft SQL Server is a remote SQL Server.
Installing the Post Update 1 build 4.0.3547.2 comes to a halt during the Configure SQL Database phase of the installation. It displays a pop-up window to the End-User with the following message:
Reviewed the windows installer verbose log file. I executed a search for “Return Value 3”
(without the quotes) and found the following information. We see the error message displayed to the user documented in the log file as well.
MSI (s) (04:40) [15:14:39:574]: Executing op: ActionStart(Name=ConfigDB,Description=Configuring SQL database,)
Action 15:14:39: ConfigDB. Configuring SQL database
MSI (s) (04:40) [15:14:39:574]: Executing op: CustomActionSchedule
MSI (s) (04:40) [15:14:39:590]: Creating MSIHANDLE (23) of type 790536 for thread 1600
MSI (s) (04:68) [15:14:39:590]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIF264.tmp, Entrypoint: ConfigDB
MSI (s) (04!C0) [15:14:55:152]: Creating MSIHANDLE (24) of type 790531 for thread 4032
Error 25009.The Forefront Identity Manager Synchronization Service setup wizard cannot configure the specified database. These workstations have sessions with open files on this server:
Installing the FIM Synchronization Manager requires that the logged in user account have sysAdmin permissions on the SQL Server. We used Microsoft SQL Server Management Studio 2008 to review the users information and confirmed that the logged in user has
sysAdmin permissions. Review the “How to confirm the user is a sysAdmin” section near the bottom of this page.
Once we confirmed that the logged in user contains sysAdmin permissions, we did a SQL Profiler Trace. In doing so, we found the below information.
2010-11-03 13:20:50.93 Logon Error: 18456, Severity: 14, State: 11.
2010-11-03 13:20:50.93 Logon Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: 126.96.36.199]
At this point, we tested with a UDL file (How to create a UDL file). The UDL file connection worked successfully and connected to the
SQL Server. We then utilized a CSS support tool to help quickly identify that we were missing an SPN for the SQL Server Service.
The CSS Support tool is a great tool. However, if you want to use that tool to assist you in troubleshooting, then you will need to open a support ticket. In this particular case, we went to verify the tool and noticed a typo in the SPN. Once the typo
was corrected, we were able to execute the installation with success. Review "How to search for SPNs" documented below with a step-by-step.
NOTE: It is important to remember that installing on Microsoft Windows Server 2008 you should right click on the executable and select "Run As Administrator"
Open Microsoft SQL Server Management Studio and log in to your SQL Server.
Expand Security and then Logins.
Select and right-click the account that you are currently logged in with on the FIM Synchronization Manager 2010 computer.
Select Properties and then Server Roles.
Make sure sysadmin is checked.
On the Connection Tab, select or type the name of the server.
Select Use Windows NT Integrated security.
Click Test Connection.
Open a command-prompt and type setspn -l <Domain Name>/<Service Name>
Find other examples documented here: