Archive for the ForeFront Endpoint Protection Category

ForeFront 2010 Beta (FEP) installation hurdles

Posted in ForeFront Endpoint Protection, Microsoft on 2010/10/07 by CRCerr0r

I recently needed to troubleshoot some installation issues on a ForeFront 2010 install. During the install a few errors came up and after some digging on the net, a Microsoft Support call, some SQL and network trace digging I finally got the thing to install.

Here is a highlight of the issues, some error message excerpts and what I did to resolve them, hopefully it helps someone…

1. Issue: The installer could not figure out/acknowledge that SQL was installed on the DB server (FEP and SQL were on two separate Windows Server 2008 boxes).

Resolution: It turns out turning OFF UAC on the SQL server helped this. For some reason SQL could not execute the queries the FEP installer was asking for (via a series of stored procedures that checked installation paths, disk space, service status, registry keys, etc.)

2. Issue: Installer could not access Reporting Services even though installing user was a local administrator on Reporting Services server

Actual error message: “Verification(Verifying SQL Reporting Services prerequisite) failed
failed to communicate with the SQL reporting web service

failed to delete folder with exception: System.Web.Services.Protocols.SoapException: The item ‘/FepSetupVerificationDire382e28e-db6b-480d-b48a-9ab209f3245b’ cannot be found. —> Microsoft.ReportingServices.Diagnostics.Utilities.ItemNotFoundException: The item ‘/FepSetupVerificationDire382e28e-db6b-480d-b48a-9ab209f3245b’ cannot be found.
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.Forefront.EndpointProtection.Configure.Utility.ReportService.ReportingService2005.DeleteItem(String Item)
   at Microsoft.Forefront.EndpointProtection.Configure.VerifySrsServer.ReportDeploymentVerification()”

Resolution: Added the installing account as a Content Manager on Reporting Services’ site (MS article here)

3. Issue: Installer refused to continue due to duplicate SPNs.

Actual error message: “Verification(Verifying SQL Server prerequisite) failed
Error: Setup cannot determine the SQL Integration Service version.
Microsoft Forefront Endpoint Protection 2010 requires Microsoft SQL Server Integration Services 2005 Enterprise or Standard edition with Service Pack 2 or higher or Microsoft SQL Server Integration Services 2008 Enterprise or Standard edition or higher.
Make sure that the component is installed, running and autostarted on server ‘SQLSERVERNAME’.

Error: There are one or more duplicates of the following service principal names found in the Active Directory Domain Services: mssqlsvc/SQLSERVERNAME:1433.”

Resolution: Deleted an inactive SPN tied to mssqlsvc/SQLSERVERNAME:1433 (see related post here)

I ran

setspn -Q mssqlsvc/SQLcomputername:1433

(the string mssqlsvc/SQLcomputername:1433 is what comes up in the FEP install log as an error). BTW, the -Q parameter is available on Server 2008.

The above step listed the two duplicate names and all the info to find the accounts it is associated with:

CN=First User,OU=Service Accounts,DC=MyDomainName,DC=local
CN=Second User,OU=Service Accounts,DC=MyDomainName,DC=local

I logged on to the SQLcomputername and found that it was the First User that was being used by SQL as a service account. So that leaves the Second User to be the problematic one. Then I ran:

setspn -D MSSQLSvc/SQLcomputername:1433 SecondUserID.

Hope this helps someone… 🙂