PRODUCTS INVOLVED
- Microsoft Identity Manager 2016 Service Pack 1
- Exchange Online
PROBLEM SCENARIO DESCRIPTION
When attempting to install MIM 2016 SP1 you may get the following error message when configuring a federated account. This can be caused by local security policies that are configured during server setup.
If you do see this message confirm that the MIMService account is not denied access to the computer from the network
NOTE | How to get a windows installer log of the Service and Portal installation?
|
WINDOWS INSTALLER LOG EXCEPTION
--------------------------------------------------------------------------------------------------------------------
NOTE | How to locate the Windows Installer Exception?
|
Calling custom action Microsoft.IdentityManagement.ServerCustomActions!Microsoft.IdentityManagement.ServerCustomActions.CustomActions.delayExchangeOnlineAccountPassword
Exception thrown by custom action: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Exception: Failed logon user while attempting to impersonate user: MIMService at Microsoft.IdentityManagement.ServerCustomActions.Impersonator.Impersonate(String domain, String userName, String password) at Microsoft.IdentityManagement.ServerCustomActions.CustomActions.Encrypt(String accountDomain, String accountName, String accountPassword, String unencryptedString) at Microsoft.IdentityManagement.ServerCustomActions.CustomActions.EncryptExchangeOnlineAccountPassword(Session session) --- End of inner exception stack trace --- at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner) at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks) at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture) at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr) CustomAction EncryptExchangeOnlineAccountPassword returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) Action ended 21:41:19: EncryptExchangeOnlineAccountPassword. Return value 3. Action ended 21:41:19: INSTALL. Return value 3. |
RESOLUTION STEPS
- From a command-prompt or the Run Window type secpol.msc to open the Local Security Policy
- From the Domain, it would be GPO
- Navigate to Local Policies > User Rights Assignment > Deny Access to this computer from the network
- If the Service Account for the MIM Service Account resides there, then remove it
- From an Administrative Command-Prompt, type gpupdate /force
ADDITIONAL INFORMATION / RESOURCES
Product Documentation: https://docs.microsoft.com/en-us/microsoft-identity-manager/prepare-server-ws2016 |
|
[BLOG]: Support-Tip: (INSTALLATION): Installation Companion – Accounts Reference: https://blogs.technet.microsoft.com/iamsupport/2018/05/09/support-tip-installation-installation-companion-accounts-reference/ |
|