question

josephlarrew avatar image
0 Votes"
josephlarrew asked ·

MSP file won't install when trying to install remotely

So I'm trying to run the below commands:

 $creds = Get-Credential
 $session = New-PSSession -ComputerName <computerName> -Credential $creds
 Invoke-Command -Session $session -ScriptBlock { Start-Process C:\Windows\System32\msiexec.exe -ArgumentList "/update c:\temp\Exchange2013-KB5000871-x64-en.msp /qn /log c:\temp\logfile.txt" }

And inside the logfile, I see a couple of different errors. Error 1:

    Action start 15:52:25: CA_PATCH_OWA_PERMISSION.
 1: ExPatchCa: GetProperty: Get property: RunCommandCmdLine (RunCommandCmdLine): C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "add-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.SnapIn
 $exitcode=0
 $exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null
 if($exerr.count -gt 0)
 {
 if (($exerr[0].Exception -eq $null)-or($exerr[0].Exception.InnerException -eq $null)-or($exerr[0].Exception.InnerException.ErrorCode -eq 0))
 {
 $exitcode=5
 }
 else
 {
 $exitcode=$exerr[0].Exception.InnerException.ErrorCode
 }
 }
 remove-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.SnapIn
 Exit ($exitcode)". (ec: 0x0) 
 1: ExPatchCa: GetProperty: Get property: RunCommandTimeout (RunCommandTimeout): 300000. (ec: 0x0) 
 1: ExPatchCa: RunCommand: ExecCommand: exit code: 0x5. timeout: 300000 ms(user set). (ec: 0x0) 
 1: ExPatchCa: SetProperty: Set property: RunCommandResult: 5. (ec: 0x0) 
 Action ended 14:43:14: CA_PATCH_OWA_PERMISSION. Return value 1.
 Action start 14:43:14: CA_PATCH_OWA_PERMISSION_ERROR.
 MSI (s) (48:30) [14:43:14:360]: Product: Microsoft Exchange Server -- The user who's currently logged on doesn't have sufficient permissions to install this package. You need at least Exchange Server Administrator permissions on the current computer to complete this task.
    
 The user who's currently logged on doesn't have sufficient permissions to install this package. You need at least Exchange Server Administrator permissions on the current computer to complete this task.
 Action ended 14:43:14: CA_PATCH_OWA_PERMISSION_ERROR. Return value 3.
 Action ended 14:43:14: INSTALL. Return value 3.

Error 2:

 Property(S): msgInterimIncorrectRollup = Installation cannot continue. The Setup Wizard has determined that this Interim Update is incompatible with the current Microsoft Exchange Server 2013 Cumulative Update 23 configuration.
 Property(S): KB5000871 = KB5000871
 Property(S): INTERIM_UPDATE_INSTALLED = 4581424
 Property(S): _F86B72D172CA4EF3A28E7E64AFB89076 = C:\Windows\Installer\45e3d8.msp
 MSI (s) (90:0C) [15:52:43:927]: Product: Microsoft Exchange Server - Update 'Security Update for Exchange Server 2013 Cumulative Update 23 (KB5000871) 15.0.1497.12' could not be installed. Error code 1603. Additional information is available in the log file c:\temp\logfile.txt.

To dispel that I might not be running as a correct user, the logfile.txt does show

 Property(S): LogonUser = <user account I ran the Invoke-Command with>

The Interim update showing as supposedly installed (4581424) is not actually installed. I tried installing that update also and it didn't work. I'm trying to install the patch that will indeed work if I run it locally. So the action "CA_PATCH_OWA_PERMISSION" fails because the user account supposedly doesn't have permissions and something about an InterimUpdate being installed that isn't...

As another note, anyone know how to bypass CRL checking from the command line?74347-logfile.txt


office-exchange-server-administrationwindows-server-2012windows-server-update-servicesoffice-exchange-server-itpro
logfile.txt (24.6 KiB)
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

josephlarrew avatar image
0 Votes"
josephlarrew answered ·

So for the final way that I got it working was to enable CredSSP JUST FOR THE DURATION OF THE UPDATE so that credentials can be refreshed. The GPO settings for this are in three places:

Computer Config > Policies > Admin Templates > Windows Components > WIndows Remote Management > WinRM Client > Allow CredSSP (Enabled)

Computer Config > Policies > Admin Templates > Windows Components > WIndows Remote Management > WinRM Service > Allow CredSSP (Enabled)

Computer Config > Policies > Admin Templates > System > Credentials Delegation > Allow delegating fresh credentials - Needs to be enabled and configured with WSMAN/*.<fqdn>

The thing I did not test was setting certificates for the winRM service. You can check the config by typing winrm get winrm/config/service. Change "get" to "set" to make changes in there.

· 1 ·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LucasLiu-MSFT avatar image LucasLiu-MSFT ·

Hi @josephlarrew ,
I am happy to hear that this issue has been resolved.
Thank you very much for sharing, this answer will help more people who have the same issue.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·
LucasLiu-MSFT avatar image
0 Votes"
LucasLiu-MSFT answered ·

Hi @josephlarrew ,
1.According to my research the error information, It does mention that the account you are using has insufficient permissions. Please make sure that the account you use to have the Exchange Server Administrator permissions. You could also create a new account and assign the permission to it. Then try to install with a new account.

2.According to the log you provided, I found the following three lines of error messages. The understanding of this error and the third point in the "Troubleshooting tips" about this security update FAQ. You need to uninstall the previously installed IU or SU before installing this security update again.
For more information you could refer to: FAQ for March 2021 Exchange Server Security Updates

1) Unable to install because a previous Interim Update for Microsoft Exchange Server 2013 Cumulative Update 23 has been installed. Please use Add/Remove Programs to uninstall the Interim Update before running this setup again.
2) Installation cannot continue. The Setup Wizard has determined that this Interim Update is incompatible with the current Microsoft Exchange Server 2013 Cumulative Update 23 configuration.
3) The version of this file is not compatible with the version of Microsoft Exchange Server 2013 Cumulative Update 23 that you're running. Check your computer to see whether you need an x64 (64-bit) or x86 (32-bit) version of this file.

3.Certificate Revocation List (CRL) a list of digital certificates that can check if the current program you are running should to be trusted or not. Microsoft not recommend to disable CRL checking, that would make your device fall into a risk Environment.
In addition, every software has it’s CRL checking ways. Windows has no central switch that would turn off CRL checking for all.
About how to disable the CRL: Certificate Revocation List (CRL) Verification - an Application Choice

In additoin, I noted that there are some error code releated with 1603 in log file. Please try the methods provided in this official troubleshooting article: Error 1603 when you try to install a Windows Installer package: A fatal error occurred during installation


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




· 3 ·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

josephlarrew avatar image josephlarrew ·

Hey Lucas, thanks for responding. My comment on your answer was going to be too long, so I put it as a separate answer, lol.

0 Votes 0 ·
josephlarrew avatar image josephlarrew ·

So now I'm trying to see if it's some kind of kerberos double hop issued and I've monkeyed around with a couple of different methods here: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.1 but I haven't had any luck still. Mainly, I tried the General delegation method and setting the "PrincipalsAllowedToDelegateToAccount" property as well.

0 Votes 0 ·
josephlarrew avatar image josephlarrew ·

Maybe for some reason it doesn't think I'm an administrator? I literally just have to open command prompt as administrator on the remote server and run msiexec /p <path to update> /qn /logfile c:\temp\logfile.log and I'm watching the log fly through the update. Quite annoying! Oh, and I tried to run it remotely first and got the exact same log in the OP, user doesn't have permission and an IU is stopping the install. I run it locally, flying right through...

0 Votes 0 ·