Troubleshooting Installation

If the Vault installation fails, review the logs to determine the error.

Verifying and installing prerequisites

If you get this message, it may have been caused by one of the following scenarios:

Scenario 1

If you are using a server that is running Microsoft Windows Server 2012R2 and KB2919355 was not installed on the machine.

Fix: Install the missing update, then continue with the upgrade. For more information about patching the Vault, see Manually Install Microsoft Windows Security Updates.

Scenario 2

One or more installation services are not running on the Vault server. Run the OpeningServices.ps1 script from the WSUS directory of the installation package, reboot the Vault server and try again.

Scenario 3

Your machine may be running an unsupported version of Microsoft Visual C++ Redistributable 2015-2019.

To resolve the issue:

  1. Run the OpeningServices.ps1 script from the WSUS directory of the installation package.
  2. Reboot the Vault server for it to take effect.
  3. Stop all the CyberArk services on the server.
  4. Uninstall the current version of Microsoft Visual C++ Redistributable 2015-2019.
  5. Install the supported version from the ISSetupPrerequisites folder in the Vault installation package.
  6. Restart the Vault server before continuing with the upgrade.

If you get this message, it may have been caused by one of the following scenarios:

Scenario 1

If you are using a server that is running Microsoft Windows Server 2012R2 and KB2919355 was not installed on the machine.

Fix: Install the missing update, then continue with the upgrade. For more information about patching the Vault, see Integrate the Digital Vault with a Windows Patch server (WSUS).

Scenario 2

One or more installation services are not running on the Vault server. Run the OpeningServices.ps1 script from the WSUS directory of the installation package, reboot the Vault server and try again.

Hardening errors

Logic Container Weak user errors

During the hardening procedure, Logic Container is installed to run as a weak user.

After the installation was successfully finished, look for following line in the Server\Logs\VaultConfiguration.log file:

  
[INFO]: Logic Container - Installing service as a weak user...

There may be warning messages after this line.

Warning - Machine is not hardened and installation is manual, installing service as a strong user...

  
[WARNING]: Logic Container - Machine is not hardened and installation is manual, installing service as a strong user...

This warning indicates that either hardening failed during the installation or you selected Do not harden the machine. For more information about how to resolve this issue, see Create a new Local User for the Logic Container Service.

Warning - Weak User creation failed, installing service as a strong user...

  
[WARNING]: Logic Container - Weak User creation failed, installing service as a strong user...

This warning indicates that weak user creation failed during the hardening phase of the installation.

To resolve this issue:

  1. Review the logs in the VaultConfigurations.log file and fix the configuration based on your analysis.

  2. Run the manual procedure described in Create a weak user manually.

  3. If you cannot resolve the problem, collect the log files as described in Collect Log Files, and also collect the %TEMP%\netsh_http_show.txt file, if it exists, and provide all the data to CyberArk for further investigation.

General hardening errors

When the hardening process fails, an error message appears that contains the location of the log file. The log file contains information that can help you resolve the error.

To troubleshoot a general hardening error:

  1. In the hardening failure message text, locate the following information:

    • The location of the log file, usually located in the Temp folder.

      The log file name contains the date and time with a Windows2016Security.log suffix.

    • The error, located in the Hardening Extra Services By Batch section.

  2. In the log file, search for ---- Running Services Batch ---- and review the list of commands in this section to confirm that they have completed successfully.

    1. Review all service configuration commands with the following format: sc config <SERVICE NAME> start= disabled.

      If the completion status of any of these commands is other than SUCCESS, the hardening process has failed.

    2. Review all registry commands with the following format: reg add HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE NAME> /v Start /t REG_DWORD /d 4 /f

      Search for the <SERVICE NAME> that was modified in the registry (regedit) and verify that the Start value is 4.

      If the service's Start value in the registry is other than 4, the hardening process has failed.

  3. Do one of the following:

    1. If the hardening completed successfully, click Skip to continue with the installation.

    2. If the hardening failed, contact your CyberArk support representative.

Create a new Local User for the Logic Container Service

When hardening is performed during the installation, Logic Container is installed to run as a weak user. If there is a problem during the creation of the weak user, you can create a weak user automatically or manually.

CyberArk has created a script that covers all the manual steps described below for all versions.

This script works with the following OS:

  • Windows Server 2012 R2
  • Windows Server 2016

The LogicContainerUserConfiguration.ps1 script can be downloaded from the CD image.

To run the script, copy it to the Vault server and run it either by double-clicking the script or by opening PowerShell and running the script.

The script creates a log file next to it detailing all the steps done.

To get additional information, you can run the script using the '-Verbose' switch.

  1. Open Local Users and Groups.
  2. Create a new user named LogicContainerUser.
  3. Set the password and select password never expires.
  4. Do not add the user to any other group.
  5. Remove this user from the local Users group.
  6. Navigate to C:\Program Files (x86)\PrivateArk\Server, right-click on the LogicContainer folder and select properties.
  7. Go to the security tab and click Edit to change permissions.
  8. Click Add, select the LogicContainerUser user, and allow full control on the folder.

  9. Repeat steps 5-7 for the Archive folder in C:\Program Files (x86)\PrivateArk\Server\Logs.

    For versions earlier than 10.5, the default Archive folder path is C:\Program Files (x86)\PrivateArk\Server.

  10. Click OK to close the dialog.
  11. Open the command prompt as an Admin and run netsh http add urlacl url=http://+:53552/BLService.svc user=LogicContainerUser.
  12. Verify that the URL reservation successfully added message is received.
  13. Run services.msc and locate the CyberArk Logic Container service to run from the newly created LogicContainerUser.
  14. Right click properties on the service and go to the Log On tab.
  15. Select This Account, select the LogicContainerUser user, and enter the user password.
  16. Click OK to close the dialog.
  17. Click OK to close the permission to logon as a service granted dialog.
  18. Restart the CyberArk Logic Container service.
  19. Disable Remote Desktop Access (RDP) for LogicContainerUser.
    1. Press Win+R.
    2. Enter secpol.msc and click OK:.
    3. Navigate to Security Settings\Local Policies\User Rights Assignment.
    4. Double-click Deny log on through Remote Desktop Services:.
    5. Click Add User or Group:.
    6. Click Advanced:.
    7. Click Find Now:.
    8. Select the LogicContainerUser user and click OK.
    9. Click OK to approve the selection.
    10. Click OK again to save the settings.