CheckPrivilege error code 2896

[Djutza]

Hello, 

I am getting similar error to CommonUi crashes after user account selectionand I hope I can copy it here.

In my wix project I included UI fragment that contains TestCredentialsDlg Dialog, together with ActiveDirectory.dll and UserPrivileges.dll. Version of files is 1.4.1114.0. On test machine everything works ok. But, when I run install on Windows2008 server, even if user that runs installation is administrator, I am getting the following error. Part of log is presented.

MSI (c) (C8:EC) [10:39:15:265]: Doing action: CheckCredentials

Aktion 10:39:15: CheckCredentials. 

Aktion gestartet um 10:39:15: CheckCredentials.

MSI (c) (C8:DC) [10:39:15:281]: Invoking remote custom action. DLL: C:\Users\ABCDEF~1.DOM\AppData\Local\Temp\3\MSI2023.tmp, Entrypoint: CheckCredentials

MSI (c) (C8!C0) [10:39:15:406]: PROPERTY CHANGE: Modifying LOGON_VALID property. Its current value is '0'. Its new value: '1'.

Aktion beendet um 10:39:15: CheckCredentials. Rückgabewert 1.

MSI (c) (C8:EC) [10:39:15:406]: PROPERTY CHANGE: Adding LOGON_PRIVILEGE property. Its value is 'SeServiceLogonRight'.

MSI (c) (C8:EC) [10:39:15:406]: Doing action: CheckPrivilege

Aktion 10:39:15: CheckPrivilege. 

Aktion gestartet um 10:39:15: CheckPrivilege.

MSI (c) (C8:4C) [10:39:15:421]: Invoking remote custom action. DLL: C:\Users\ABCDEF~1.DOM\AppData\Local\Temp\3\MSI20B1.tmp, Entrypoint: CheckPrivilege

MSI (c) (C8!F0) [10:39:16:218]: PROPERTY CHANGE: Adding CA_ERROR property. Its value is '0x80070005 - Error opening policy on DEV03: Zugriff verweigert'.

Aktion beendet um 10:39:16: CheckPrivilege. Rückgabewert 3.

DEBUG: Error 2896:  Executing action CheckPrivilege failed.

Bei der Installation dieses Pakets ist ein unerwarteter Fehler aufgetreten. Es liegt eventuell ein das Paket betreffendes Problem vor. Der Fehlercode ist 2896. Argumente: CheckPrivilege, , Translated: When installing this package, an unexpected error has occurred. This may indicate a problem with this package. The error code is 2896th Arguments: Check Privilege

Aktion beendet um 10:39:16: WelcomeDlg. Rückgabewert 3.

MSI (c) (C8:70) [10:39:16:234]: Doing action: FatalError

Aktion 10:39:16: FatalError. 

Aktion gestartet um 10:39:16: FatalError.

Aktion 10:39:16: FatalError. Dialog created

Aktion beendet um 10:39:17: FatalError. Rückgabewert 2.

Aktion beendet um 10:39:17: INSTALL. Rückgabewert 3.

[Daniel Doubrovkine]

It looks like the error is access denied opening policy. It's the result of https://github.com/dblock/msiext/blob/29302ce78fafe783a8f9c0049a3cbcf97d2686e3/src/Common/Lsa/LSAPolicy.cpp#L42. This shouldn't be a fatal error though, it should be ignored or handled. Are you using all out-of-the-box msiext? If so, if the user privileges cannot be verified the installer shouldn't terminate and you should open an issue with this at the very least.

Hunting down the access denied may be a bit harder. This probably has something to do with your AD permissions setup.

--
You received this message because you are subscribed to the Google Groups "msiext" group.
To unsubscribe from this group and stop receiving emails from it, send an email to msiext+un...@googlegroups.com.
To post to this group, send email to msi...@googlegroups.com.
Visit this group at http://groups.google.com/group/msiext.
For more options, visit https://groups.google.com/d/optout.

--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

[Djutza]

Hi,

Thank you very much for an answer. You were right, user is in administrator role, but he does not have all system privileges and therefore it failed on this action.

I am only referencing those 2 dlls and modified TestCredentialsDlg as a part of custom WixUI_Advanced.

Greetings

Djutza

[Daniel Doubrovkine]

So is there a bug in the library?

[Djutza]

I can not say for sure it is a bug, because it is working on production system. We had issue in test environment where user rights are probably not set well.

Thanks

[Chris Murphy]

I get this error too. works on some machines. It's not my implementation either as the demo fails the same way.

[Daniel Doubrovkine]

Would you please be so kind to open an issue with a full log?

It looks like the error is access denied opening policy. It's the result of https://github.com/dblock/msiext/blob/29302ce78fafe783a8f9c0049a3cbcf97d2686e3/src/Common/Lsa/LSAPolicy.cpp#L42. This shouldn't be a fatal error though, it should be ignored or handled.

Would appreciate a PR that does that.

On Thu, Dec 11, 2014 at 9:55 PM, Chris Murphy <cjmu...@gmail.com> wrote:

I get this error too. works on some machines. It's not my implementation either as the demo fails the same way.

--

You received this message because you are subscribed to the Google Groups "msiext" group.
To unsubscribe from this group and stop receiving emails from it, send an email to msiext+un...@googlegroups.com.
To post to this group, send email to msi...@googlegroups.com.
Visit this group at http://groups.google.com/group/msiext.
For more options, visit https://groups.google.com/d/optout.

[Chris Murphy]

I've created an issue and posted a log. The error seems to be caused by the check needing UAC elevation. I've tested on two machines so far, with UAC disabled it works fine, with UAC enabled it fails every time.

[Chris Murphy]

Just to let you know, I have worked around this by removing the call to check for this permission then using the wix util extension user element, I assign the permission during installation. I imagine this could cause some issues if there is a group policy conflict, but for me it's a non issue.

Thanks for the great extension!

[Daniel Doubrovkine]

Care to post the actual code for the next person running into this? Thanks.

On Wed, Dec 31, 2014 at 3:09 AM, Chris Murphy <cjmu...@gmail.com> wrote:

Just to let you know, I have worked around this by removing the call to check for this permission then using the wix util extension user element, I assign the permission during installation. I imagine this could cause some issues if there is a group policy conflict, but for me it's a non issue.

Thanks for the great extension!

--

You received this message because you are subscribed to the Google Groups "msiext" group.
To unsubscribe from this group and stop receiving emails from it, send an email to msiext+un...@googlegroups.com.
To post to this group, send email to msi...@googlegroups.com.
Visit this group at http://groups.google.com/group/msiext.
For more options, visit https://groups.google.com/d/optout.

[Chris Murphy]

Sure.

First I modified the Dialogue from your demo called TestCredentialsUI.wxi so when the test button is executed it doesn't check for the permission and I set the property LOGON_PRIVILEGE to 1. So for the push button control named test in that dialog, I've changed it to the below:

<Control Id="Test" Type="PushButton" X="40" Y="200" Width="100" Height="17" Text="&amp;Test Credentials">
          <Condition Action="disable"><![CDATA[SERV_LOGON_TYPE <> "ServiceAccount"]]></Condition>
          <Condition Action="enable"><![CDATA[SERV_LOGON_TYPE = "ServiceAccount"]]></Condition>
          <!-- check whether the credentials are valid -->
          <Publish Property="LOGON_USERNAME" Value="[SERVICE_USERNAME]" Order="1">1</Publish>
          <Publish Property="LOGON_PASSWORD" Value="[SERVICE_PASSWORD]" Order="1">1</Publish>
          <Publish Event="DoAction" Value="CheckCredentials" Order="2">1</Publish>
          <Publish Property="LOGON_VALID" Value="[LOGON_VALID]" Order="3">1</Publish>
          <Publish Property="LOGON_ERROR" Value="Invalid Logon" Order="3"><![CDATA[LOGON_ERROR = "" AND LOGON_VALID = "0"]]></Publish>
          <!-- check whether this user has logon as a service privilege, only once account is valid -->
          <Publish Property="LOGON_PRIVILEGE" Value="SeServiceLogonRight" Order="5"><![CDATA[LOGON_VALID = "1"]]></Publish>
          <!--<Publish Event="DoAction" Value="CheckPrivilege" Order="6"><![CDATA[LOGON_VALID = "1"]]></Publish>-->
          <!--<Publish Property="LOGON_ERROR" Value="This account does not have logon as a service right. [CA_ERROR]" Order="7"><![CDATA[LOGON_VALID = "1" AND LOGON_HAS_PRIVILEGE = "0"]]></Publish>-->
          <Publish Property="LOGON_HAS_PRIVILEGE" Value="1" Order="7">1</Publish>
           <!--spawn the error dialog, LOGON_ERROR will be set accordingly-->
          <Publish Event="SpawnDialog" Value="InvalidLogonDlg" Order="8"><![CDATA[LOGON_VALID = "0" OR LOGON_HAS_PRIVILEGE = "0"]]></Publish>
        </Control>

Next in the actual service install component I use the wix extensions util User element to set the logon as a service privilege. The whole component is shown below:

<Component Id="MyServiceComponent" Guid="*">
            <File Id="MyServiceExe" Source="$(var.MyService.TargetPath)" />
            <ServiceInstall Id="ServiceInstaller"
                            Type="ownProcess"
                            Vital="yes"
                            Name="MyService"
                            DisplayName="My Service"
                            Description="My Sample Service"
                            Start="auto"
                            Account="[SERVICE_USERNAME]"
                            Password="[SERVICE_PASSWORD]"
                            ErrorControl="normal" >
            <ServiceDependency Id="LanmanServer"/>
            </ServiceInstall>
            <ServiceControl Id="StartService"
                            Start="install"
                            Stop="install"
                            Remove="uninstall"
                            Name="MyService"
                            Wait="no" />
            <util:ServiceConfig ServiceName="MyService"
                                FirstFailureActionType="restart"
                                SecondFailureActionType="restart"
                                ThirdFailureActionType="restart"
                                ResetPeriodInDays="1"
                                RestartServiceDelayInSeconds="20"/>
            <util:User Id="user" CreateUser="no" Name="[SERVICE_USERNAME]" Password="[SERVICE_PASSWORD]" LogonAsService="yes" UpdateIfExists="yes" FailIfExists="no" RemoveOnUninstall="no"/>
          </Component>

You need to add a reference to the wix util extension and add the namespace to the xml (xmlns:util="http://schemas.microsoft.com/wix/UtilExtension").

Hope it helps.

[Daniel Doubrovkine]

Thanks Chris!

--

You received this message because you are subscribed to the Google Groups "msiext" group.
To unsubscribe from this group and stop receiving emails from it, send an email to msiext+un...@googlegroups.com.
To post to this group, send email to msi...@googlegroups.com.
Visit this group at http://groups.google.com/group/msiext.
For more options, visit https://groups.google.com/d/optout.