Install error on Windows 2003 Domain Controller

[David James]

Installing Vault 2.0.2 server on a Windows 2003 Standard server running as a domain controller, I get the following error:

Configuring your new Vault Installation
Checking for IIS Version...OK
Requesting Vault Admin user password...OK
Connecting to the SQL Server...OK
Verifying the SQL Server requirements...OK
Checking for an existing Vault database...Not found.
Creating a new Vault database on (local)...
Creating the SourceGear Vault database...OK
Upgrading SourceGear Vault database...OK
Creating SourceGear Vault stored procedures...OK
Adding Data to SourceGear Vault database...OK
Adding the admin user...OK
Giving NT AUTHORITY\NETWORK SERVICE access to the Vault database...Windows NT user or group 'DB\ASPNET' not found. Check the name again.
User or role 'DB\ASPNET' does not exist in this database.
Granted database access to 'NT AUTHORITY\NETWORK SERVICE'.
'NT AUTHORITY\NETWORK SERVICE' added to role 'db_owner'.
Vault Setup is exiting due to a failure or cancellation. Error Code = 402

MSSQL 2000 is running on the same machine.

I chose the default options for everything in the installer.

The machine I'm installing on is called "DB", hence the NT username "DB\ASPNET". But because the machine is a domain controller, I believe this means there are no local users, only domain users. Could someone who knows more about Windows security confirm this? The only ASPNET account I could find is MY-DOMAIN-NAME\ASPNET.

I ran the installer a second time, and it succeeded. I guess it detected the existing database, assumed that the database security was set up correctly, and didn't try to add the non-existant DB\ASPNET user...

[jclausius]

Did you happen to see these KB articles?

1) Installing Vault Server on Windows 2003 Server
- http://support.sourcegear.com/viewtopic.php?t=185
2) Running Vault service on a domain controller - http://support.sourcegear.com/viewtopic.php?t=201

Please post back if these links did not solve your problem.

[luther_miller]

I am trying to install the demo version of Vault on Windows 2000 Server. The machine is also a domain controller, so the user name MYSERVER\ASPNET does not exist. Instead, the user name MYDOMAIN\ASPNET exists, but I am not sure how to get Vault to use this name.

We have SQL Server 2000 and ASP.NET 1.1 both installed on this machine already. In fact, we have several other ASP.NET applications running on this machine, so I don't want to change anything in the machine.config regarding user ID etc.

Neither of the links referred to in the above response seem applicable to my situation.

Please let me know how I should proceed in this instance; or if I am simply doing something incorrectly.

Thanks--

Luther

[luther_miller]

subject says it all

[jclausius]

i don't have a domain controller in front of me, so please take this with a grain of salt ( or someone flame me if this is incorrect ).

first off, i'm assuming the .net framework is installed and working correctly for a domain controller (using a custom account).


1) if you have the vault server installed, uninstall it.

2) then re-run the server installation. when you get to the section about the asp.net process model, choose CUSTOM. then for the asp.net process account, use MYDOMAIN\ASPNET.

just in case, I'll check this thread a couple of times tonight to see if it solved your problem.

[jclausius]

Giving NT AUTHORITY\NETWORK SERVICE access to the Vault database...Windows NT user or group 'DB\ASPNET' not found. Check the name again.
User or role 'DB\ASPNET' does not exist in this database.

When you install, make sure to use the Custom asp.net account. Then specify DB\ASPNET as the account in the custom field.

I'll update the KB article, as there is no mention to do so.

[luther_miller]

Ok, under Custom it says "web.config identity impersonation". I had assumed that this meant it would try and impersonate whoever was using the web services or asp.net pages. It wasn't clear that I could specify a user & password.

Which brings me to the next problem.
When I specufy custom, I'm not sure if I should enter MYMACHINE\ASPNET or MYDOMAIN\ASPNET. In either case, I certainly don't know the passoword to enter.
To make things worse, the existing aspnet_wp.exe processes always run as IWAM_MYMACHINE, not as either of the ASPNET user choices.
That is, until I tried to do an install of Vault with the second option selected. After I tried that, everything installed but it (logically) couldn't access the database. So I uninstalled it. But now all of my aspnet_wp.exe processes run as SYSTEM instead of IWAM_MYMACHINE. Grrr. Is it possible that Vault changed that, or am I just over the edge now?

In any case, it is still not clear how I can proceed properly.

[jclausius]

When I specufy custom, I'm not sure if I should enter MYMACHINE\ASPNET or MYDOMAIN\ASPNET. In either case, I certainly don't know the passoword to enter.

the microsoft article ( http://msdn.microsoft.com/library/defau ... n_a_dc.asp ) states that users will have to create a "weak" account to run the .net framework on a domain controller. for the purposes of this thread, i'm assuming that account was created by a person, and is named MYDOMAIN\ASPNET.

did you create the MYDOMAIN\ASPNET account? or did the account already exist? if someone created the account, then you know or can set the password. if you did not create the account, then the current vault installation script will not work for the cusom account without the password.

I had assumed that this meant it would try and impersonate whoever was using the web services or asp.net pages.

in windows 2000 (iis 5.0), by default the ASP.Net process runs as the user specified in the <processModel> xml element in the .Net machine.config file. however, this value can be over-written by impersonation. in this case, the vault server overrides the default and uses impersonation with the info provided in the Custom section.

But now all of my aspnet_wp.exe processes run as SYSTEM

the server installation in no uncertain terms touches machine.config.

by default, the asp.net process will probably not run as IWAM_MYMACHINE either. check out %windir%\Microsoft.NET\Framework\v1.1.YYYY\config\machine.config. the processModel->user attribute will provide you with the info you need.

note, if you are running asp.net under the local system account, i believe there is an option to use this for the Vault server installation.

[jclausius]

i apologize for all these "hoops" you are having to jump through, as they are strictly .net framework installation/configuration issues.

In any case, it is still not clear how I can proceed properly.

Here are my suggestions listed from most to least recommended:

- get .net running under your own weak domain account. see ms links above.
- install vault, and use the custom / impersonation setting using the name of the weak account.

OR

- you could run the .net framework under the local system account by modifying .net's machine.config processmodel -> user attribute.
- then install vault using "local system" as the process model.

OR

- install vault on a non-domain controller machine.

[luther_miller]

When I installed .NET on this server, I did not create any additional accounts for it to run under.

We have one ASP.NET application running under Framework version 1.0, and the rest of the server running under 1.1.

The machine.config file for the 1.0 framework uses userName="SYSTEM"; so I realized that it is THAT aspnet_wp.exe process that is running as SYSTEM, so that we could get around the issue in KB article 315158.

The machine.config for 1.1 uses userName="machine". aspnet_wp.exe processes that are spawned for ASP.NET 1.1 applications show "IWAM_MYMACHINE" as the user in Task Manager.

This has been working for well over a year, and I'd prefer not to change it.

See http://support.microsoft.com/default.as ... -us;315158
"Note With ASP.NET 1.1, the identity of the ASPNET process is IWAM_MachineName, and this problem does not apply."

Note that the link you refer to for creating a weak account if for .NET 1.0, and is not necessary for .NET 1.1.

I can get Vault to install if I select the second option, but then it can't access its own database. I assume this is because it set up the user permissions for the database to be something other than IWAM_MACHINENAME. Is it using SQL Server roles? Could I simply add IWAM_MACHINENAME to some Vault role after it installs and then I will be all set? Let me know if this might be a possible solution. I'm not fond of changing our ASP.NET 1.1 applications to run under SYSTEM, or of creating a (domain) account for them to run under, as both of these options impose additional security risks.

I am looking into another server resource where we could install the Vault demo for testing purposes, but the SQL Server will still be on this machine, at least in the short term.

Thanks!
-Luther

[jclausius]

let's move this to a new thread as to not dilute the original question which was about windows 2003 server.

http://support.sourcegear.com/viewtopic.php?p=3098#3098