locked
Installation error while using a domain account for geneva server

    Question

  • This is in continuation of the following thread:
    http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/b3a27751-f79b-4c1a-95ac-45693ff373f5

    As suggested in the above thread, I ran the config wizard from command line as follows:
    C:\Program Files\Microsoft Geneva Server>Microsoft.IdentityServer.ConfigWizard.exe -logfile c:\temp\genevaInst.txt -loglevel Information

    And here is my log file:

    Microsoft.IdentityServer.ConfigWizard Information: 1856 :   1 [ 1792881274142 ]: DebugLog initialized
    Microsoft.IdentityServer.ConfigWizard Error: 1856 :   4 [ 1793178659356 ]: ServiceControllerStatus.Start gave exception. 
    Time out has expired and the operation has not been completed.
    Microsoft.IdentityServer.ConfigWizard Error: 1856 :   4 [ 1793178721970 ]: RunTask encountered an exception. 
    Unable to start service. Check the Event Viewer for details.
    Fix the error and re-run the "Geneva" Server Initial Configuration wizard.

    I got the following information from the event log:



     

    The token service configuration could not be loaded correctly.
    Additional Data
    Error: MSIS3010: The policy store service could not register for a query notification.

    I am using SQL Server 2008 and Geneva Beta 2 (installed on the same box with windows 2008). From the event log and sql server trace, I am assuming that it's looking for some sort of notification services and is not able to locate that. But, surprisigly enough, when I user Network Service account or my own account (I am an admin on that box), everything goes smoothly. I've even tried to add that domain account to the Admin group (not a best practice, but just to test) but the same result.

    Can anyone give me some pointers on this issue?
    Thanks.

     

    Wednesday, June 24, 2009 6:48 PM

Answers

  • Ok, I was able to configure Geneva server by changing some login properties associated with the domain account in the SQL Server management studio. Basically, I specified "IdentityServerPolicy" for the default schema property and db_genevaservice for the Role Members property and it worked like a charm.

    After that I removed the domain account from the admin group and tried to run the wizard again, and got the follwing error:

    Exception details: System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL https://+:443/Trust/ProxyMex/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details). ---> System.Net.HttpListenerException: Access is denied
    at System.Net.HttpListener.AddAll()
    at System.Net.HttpListener.Start()

    Since I had configured Geneva to run under Network Service account on this box before, I had to manually edit the ACLs associated with the endpoints exposed by geneva server. This thread helped me for that (http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/04705197-f668-48c9-bb7b-11a122c67eae).
    Here is the command to get a list of all http ACLs:
    netsh http show urlacl

    Command to delete the ACL associated with a URL:
    netsh http delete urlacl url=https://+:8082/STS/mex/

    Command to add the ACL for granting permissions to the domain account:
    netsh http add urlacl url=https://+:8082/STS/mex/ user=domain\MyDomainAccount listen=yes delegate=yes

    I had to repeat the above 2 steps for all the urls needed by Geneva server.

    Hope that would help others facing the similar issues.

    • Marked as answer by dahiya Wednesday, June 24, 2009 8:13 PM
    Wednesday, June 24, 2009 8:13 PM