Endpoint Protection

 View Only

  • 1.  SEPM Installation Fails: Failure in IIsConfig.vbs script

    Posted Apr 29, 2010 05:37 PM
    I'm about at my wits end here, hoping someone can help. I've spend about 3 hours on the phone over the last week with Symantec support, and while they have been infinitely patient, no resolution yet.

    I have (somewhat regretably now) recommended and sold a competitive upgrade to a client to replace Trend Micro. I'm installing SEPM on the server and it continually rolls back as soon as it hits "Configuring IIS". The SEPM_INST.LOG the following "return value 3" message:

    SESM CA: Command Line: "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\IISCONFIG.VBS" -install "0" "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\" "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\" "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Php\php-cgi.exe" "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\cacls.exe" "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Php\Php.ini" "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection Manager\Php\temp\" "8014" "0"
    SESM CA: Error: ShellExecuteEx failed.
    SESM CA: RunCommandFromBin End
    SESM CA: Failure in IIsConfig.vbs script - See the Windows Event Viewer application log for the failure event.
    Action ended 13:47:26: InstallFinalize. Return value 3.
    Action 13:47:26: Rollback. Rolling back action:
    Rollback: Configuring IIS
    Rollback: InstallIISConfigRollback
    SESM CA: InstallIISConfigRollback Begin
    SESM CA: UninstallIISConfig Begin
    SESM CA: RunCommandFromBin Begin
    SESM CA: Program: C:\WINDOWS\system32\CSCRIPT.EXE
    SESM CA: Command Line: "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\IISCONFIG.VBS" -uninstall
    SESM CA: Error: ShellExecuteEx failed.
    SESM CA: RunCommandFromBin End
    SESM CA: UninstallIISConfig End
    SESM CA: InstallIISConfigRollback End

    There is nothing relevant in the application log.

    Here are the details:
    • SEPM v11.0.6000.550 on Windows Server 2003 SP2
    • Trend Micro (client/server security agent and the management server) has been uninstalled completely
    • Install is running on a console session under the Administrator account
    • Server is a DC and also has BackupExec installed with LiveUpdate (I have uninstalled LU and reinstalled from the SEP package successfully as we were also getting errors in the log concerning LU, but they are now gone)
    • Server is also a Terminal Server, but I have ensured the connection was disabled and all users logged off while I attempted the installation.
    • IIS is a fresh install, nothing but the default website (which I tried deleting also, but it didn't help). I have tried enabling every option in the Applications section of Windows Add/Remove Components screen and verified that the default website is running.
    • I have followed all of the steps listed on the Symantec Endpoint Protection Manager installation rolls back at Configuring IIS page with no issues.
    • I can run the following command successfully and create a "Reporter" extension in IIS: cscript "C:\WINDOWS\system32\IISEXT.VBS" /AddFile "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Php\php-cgi.exe" 1 Reporter 1 Reporter
    • I have run netstat and verified there are NO websites, save for the default site, running on port 80 or 8014 (Symantec Default)
    • I have tried installing SEPM under the default website and under a custom website on 8014
    • I have rebooted the server several times.
    • I have installed the Windows Scripting Host (reinstalled as it were ... there are already functioning WSH-aware programs running)
    • I have verified the default impersonation level is set to "Identify" in Component Services
    • The server runs a medical billing application that uses SQL and is dished out via TS to remote users. I realize it would be ideal to have more than one server for these functions, but that is not an option.
    • I ran the SEP_SupportTool program and it reported no problems.
    That's where I'm at right now and I am about at my wits end with SEP and this server. Please help! Let me know if I should attach any additional information.

    Thanks in advance,
    Paul


  • 2.  RE: SEPM Installation Fails: Failure in IIsConfig.vbs script

    Posted Apr 29, 2010 06:17 PM

    Hi Paul,

    Symantec Endpoint Protection Manager installation rolls back at Configuring IIS.

    http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/5d3133276a073792882573720059ade8?OpenDocument

    I think you will find the above article helpful. I am going to keep looking into your case, but it would be helpful if you could post your case number. This allows me to see any transactions that have happened between you and other means of support.

    Thanks
    Grant



  • 3.  RE: SEPM Installation Fails: Failure in IIsConfig.vbs script

    Posted Apr 29, 2010 07:06 PM

    I had this same issue when setting up a SEPM. I just rebuilt it, not what you want to hear I'm sure.

    I would try the article Grant posted first.


  • 4.  RE: SEPM Installation Fails: Failure in IIsConfig.vbs script

    Posted Apr 29, 2010 08:33 PM
    Yeah Brian, I'm getting nervous thinking that's going to be the next recommendation from Symantec :) 

    Grant, the case # is 412-061-332, thank you for looking into it for me. I have already been through all four solutions in that article, no change. I am able to successfully call iisext.vbs and use it outside of the installation, so it and WMI appear to be working correctly.




  • 5.  RE: SEPM Installation Fails: Failure in IIsConfig.vbs script

    Posted Apr 29, 2010 08:43 PM

    A little bit more info on what happened with me:

    We were in the process of setting up AV for our extranet. I was given a server to put SEPM on and deploy SEP to the clients, which I did and all was working fine. Because it also acted as a combo box, another one of our admins went to install Citrix on it, essentially reconfiguring IIS to work with Citrix. Of course, he didn't know I had already set everything up. This broke the SEPM and I tried numerous thigs to get it working but no dice. The error you describe above was the reason the SEPM re-install would stop.


  • 6.  RE: SEPM Installation Fails: Failure in IIsConfig.vbs script

    Posted May 03, 2010 10:35 AM
    Any great ideas pop up over the weekend? I just left a VM for my assigned tech at Symantec Support to call me back, but I'm not hopeful.


  • 7.  RE: SEPM Installation Fails: Failure in IIsConfig.vbs script
    Best Answer

    Posted May 04, 2010 05:50 PM
    After a lot of back and forth with support, I figured out the issue on my own.

    I ran Process Monitor while the install was running and failing and noticed the following line:

    MsiExec.exe IRP_MJ_CREATE C:\WINDOWS\system32\cscript.exe ACCESS DENIED Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a NT AUTHORITY\SYSTEM

    IRP_MJ_CREATE is the function used to open a file system object (or create a new one), so I looked at cscript.exe and sure enough, the SYSTEM account was set to deny all on the security permissions. I don't see this on any of my other 2003 servers, so I'm assuming it was a result of some hardening at one point in time before I inherited this client. As it turns out, the problem had nothing to do with IIS technically.

    Anyways, problem solved, thought I would share.