Troubleshooting Installation

If the Vault installation fails, review the logs to determine the error.

Verifying and installing prerequisites

If you get this message, it may have been caused by one of the following scenarios:

Scenario 1

One or more installation services are not running on the Vault server. Run the OpeningServices.ps1 script from the WSUS directory of the installation package, reboot the Vault server and try again.

Scenario 2

Your machine may be running an unsupported version of Microsoft Visual C++ Redistributable for Visual Studio 2015-2022.

To resolve the issue:

  1. Run the OpeningServices.ps1 script from the WSUS directory of the installation package.
  2. Reboot the Vault server for it to take effect.
  3. Stop all CyberArk services on the server.
  4. Uninstall the current version of Microsoft Visual C++ Redistributable for Visual Studio.
  5. Install the latest version of Microsoft Visual C++ Redistributable for Visual Studio 2015-2022 32-bit and 64- versions.
  6. Restart the Vault server before continuing with the upgrade.

Re-harden the Vault by running the ClosingServices.ps1 script file in the WSUS folder of the installation package. If you do not re-harden the Vault, the security of your Vault is decreased.

Hardening errors

When hardening is performed during the installation, Logic Container is installed to run as a weak user.

After the installation was successfully finished, look for following line in the Server\Logs\VaultConfiguration.log file:

  
[INFO]: Logic Container - Installing service as a weak user...

If after this line, you see one of the following warning messages, proceed as described below:

  
[WARNING]: Logic Container - Machine is not hardened and installation is manual, installing service as a strong user...

This warning indicates that either hardening failed during the installation or you selected Do not harden the machine. For details, see Create a new Local User for the Logic Container Service.

  
[WARNING]: Logic Container - Weak User creation failed, installing service as a strong user...

This warning indicates that weak user creation failed during the hardening phase of the installation. Review the logs in the VaultConfigurations.log file and fix the configuration based on your analysis. You can then run the manual procedure described inManually. If you cannot resolve the problem, collect the log files as described in Collect Log Files. Also collect the %TEMP%\netsh_http_show.txt file, if it exists, and provide all the data to CyberArk for further investigation.

  1. From the text of the hardening failure error message, identify the location of the log file (usually within the temp folder).

     

    The log file name contains the date and time with a Windows2016Security.log suffix.

  1. In the text of the error message, the expected error can be found under the Hardening Extra Services By Batch section.

  2. In the log file, search for ---- Running Services Batch ---- and review the list of commands in this section to confirm that they have completed successfully.

    1. Review all service configuration commands with the following format: sc config <SERVICE NAME> start= disabled.

      If the completion status of any of these commands is other than SUCCESS, the hardening process has failed.

    2. Review all registry commands with the following format: reg add HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE NAME> /v Start /t REG_DWORD /d 4 /f

      Search for the <SERVICE NAME> that was modified in the registry (regedit) and verify that the Start value is 4.

      If the service's Start value in the registry is other than 4, the hardening process has failed.

  3. If the hardening completed successfully, click Skip to continue with the installation.

  4. If the hardening failed, contact your CyberArk support representative.

Create a new Local User for the Logic Container Service

When hardening is performed during the installation, Logic Container is installed to run as a weak user. If there is a problem during the creation of the weak user, you can create a weak user automatically or manually.

CyberArk has created a script that covers all the manual steps described below for all versions.

The LogicContainerUserConfiguration.ps1 script can be downloaded from the CD image.

To run the script, copy it to the Vault server and run it either by double-clicking the script or by opening PowerShell and running the script.

The script creates a log file next to it detailing all the steps done.

To get additional information, you can run the script using the '-Verbose' switch.

  1. Open Local Users and Groups.
  2. Create a new user named LogicContainerUser.
  3. Set the password and select password never expires.
  4. Do not add the user to any other group.
  5. Remove this user from the local Users group.
  6. Navigate to C:\Program Files (x86)\PrivateArk\Server, right-click on the LogicContainer folder and select properties.
  7. Go to the security tab and click Edit to change permissions.
  8. Click Add, select the LogicContainerUser user, and allow full control on the folder.

  9. Repeat steps 6-8 for the Archive folder on C:\Program Files (x86)\PrivateArk\Server\Logs.

    Note:

     

    For versions below 10.5, the default Archive folder path is C:\Program Files (x86)\PrivateArk\Server.
  10. Click OK to close the dialog.
  11. Open the command prompt as an Admin and run netsh http add urlacl url=http://+:53552/BLService.svc user=LogicContainerUser.
  12. Verify that the URL reservation successfully added message is received.
  13. Run services.msc and locate the CyberArk Logic Container service to run from the newly created LogicContainerUser.
  14. Right click properties on the service and go to the Log On tab.
  15. Select This Account, select the LogicContainerUser user, and enter the user password.
  16. Click OK to close the dialog.
  17. Click OK to close the permission to logon as a service granted dialog.
  18. Restart the CyberArk Logic Container service.
  19. Disable Remote Desktop Access (RDP) for LogicContainerUser.
    1. Press Win+R.
    2. Enter secpol.msc and click OK:.
    3. Navigate to Security Settings\Local Policies\User Rights Assignment.
    4. Double-click Deny log on through Remote Desktop Services:.
    5. Click Add User or Group:.
    6. Click Advanced:.
    7. Click Find Now:.
    8. Select the LogicContainerUser user and click OK.
    9. Click OK to approve the selection.
    10. Click OK again to save the settings.