Issue Installing Skype for Business Server 2015 in a Hardened Environment without Internet Access

  • Article

During the install for Skype for Business Server 2015, SQL Express fails to install with the following error message:

Prerequisite installation failed: Prerequisite installation failed: SqlInstanceRtc For more information, check your SQL Server log files. Log files are in the folder C:\Program Files\Microsoft SQL Server\MSSQL*.Rtc\MSSQL\Log, where the * represents your SQL Server version number. For example, SQL Server 2012 uses this path: C:\Program Files\Microsoft SQL Server\MSSQL11.Rtc\MSSQL\Log.

Unfortunately, the log file didn't contain any helpful information on why the install failed.  Looking at the Application Event Log, however, the following errors are shown:

Log Name:      Application
Source:        MsiInstaller
Date:          11/24/2015 8:25:06 PM
Event ID:      11330
Task Category: None
Level:         Error
Keywords:      Classic
User:          TEST\Administrator
Computer:      TEST-W16-SE1.test.deitterick.com
Description:
Product: Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 -- Error 1330.A file that is required cannot be installed because the cabinet file C:\Program Files\Skype for Business Server 2015\Deployment\SQLEXPR_x64\redist\VisualStudioShell\VC10SP1\x64\vc_red.cab has an invalid digital signature.  This may indicate that the cabinet file is corrupt.  Error 270 was returned by WinVerifyTrust.

Log Name:      Application
Source:        MsiInstaller
Date:          11/24/2015 8:25:07 PM
Event ID:      1023
Task Category: None
Level:         Error
Keywords:      Classic
User:          TEST\Administrator
Computer:      TEST-W16-SE1.test.deitterick.com
Description:
Product: Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 - Update 'KB2565063' could not be installed. Error code 1603. Additional information is available in the log file C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Log\20151124_202244\VC10Redist_Cpu64_1.log.

The same errors are shown for the Microsoft Visual C++ 2010  x86 Redistributable as well:

In this environment, the servers don't have internet access, so the installer is unable to validate the certificate and the installation fails.  In addition, this particular customer uses OS images that have been hardened according to a set of STIGs (Security Technical Implementation Guide).  You can find some more information on STIG here.  One of the STIG settings has you make a change to the way Authenticode performs certificate validation:

Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a mechanism to identify software publishers and ensure that software applications have not been tampered with. Authenticode technology relies on digital certificates and is based on Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms. .Net application developers sign their application code with their public key and Authenticode technology performs certificate validation tasks prior to allowing the application to run.

Looking at HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing, you can see that "State" is set to 0x00010000:

To resolve this issue and continue with the install, you will need to change the value of 'State' back to 0x00023c00:

This will allow the install to complete successfully: