Share via

FIM Troubleshooting: Installation Error 25009 (SA admin rights missing)

  • Article

OVERVIEW

Error 25009: The Forefront Identity Manager Synchronization Service setup wizard cannot configure the specified database. 

Concerns an issue with installing the Microsoft Forefront Identity Manager 2010 product.  The backend Microsoft SQL Server is a remote SQL Server. 

SYNOPSIS

Installing the Post Update 1 build 4.0.3547.2 comes to a halt during the Configure SQL Database phase of the installation.  It displays a pop-up window to the End-User with the following message:

Steps

Installation error message

Error 25009.The Forefront Identity Manager Synchronization Service setup wizard cannot configure the specified database.  These workstations have sessions with open files on this server:

Reviewed the windows installer verbose log file.  I executed a search for “Return Value 3” (without the quotes) and found the following information.  We see the error message displayed to the user documented in the log file as well.

Verbose install log

MSI (s) (04:40) [15:14:39:574]: Executing op: ActionStart(Name=ConfigDB,Description=Configuring SQL database,)

Action 15:14:39: ConfigDB. Configuring SQL database

MSI (s) (04:40) [15:14:39:574]: Executing op: CustomActionSchedule

Action=ConfigDB,ActionType=11265,Source=BinaryData,Target=**********,CustomActionData=**********)

MSI (s) (04:40) [15:14:39:590]: Creating MSIHANDLE (23) of type 790536 for thread 1600

MSI (s) (04:68) [15:14:39:590]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIF264.tmp, Entrypoint: ConfigDB

MSI (s) (04!C0) [15:14:55:152]: Creating MSIHANDLE (24) of type 790531 for thread 4032

Error 25009.The Forefront Identity Manager Synchronization Service setup wizard cannot configure the specified database.  These workstations have sessions with open files on this server:

Installing the FIM Synchronization Manager requires that the logged in user account have sysAdmin permissions on the SQL Server.  We used Microsoft SQL Server Management Studio 2008 to review the users information and confirmed that the logged in user has sysAdmin permissions.  Review the “How to confirm the user is a sysAdmin” section near the bottom of this page.

Once we confirmed that the logged in user contains sysAdmin permissions, we did a SQL Profiler Trace.  In doing so, we found the below information.

SQL profiler trace

2010-11-03 13:20:50.93 Logon       Error: 18456, Severity: 14, State: 11.

2010-11-03 13:20:50.93 Logon       Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: 40.1.188.32]

At this point, we tested with a UDL file (How to create a UDL file).  The UDL file connection worked successfully and connected to the SQL Server.  We then utilized a CSS support tool to help quickly identify that we were missing an SPN for the SQL Server Service.

MSSQLSVR/<fqdn>:1433

 

The CSS Support tool is a great tool.  However, if you want to use that tool to assist you in troubleshooting, then you will need to open a support ticket.  In this particular case,  we went to verify the tool and noticed a typo in the SPN.  Once the typo was corrected, we were able to execute the installation with success.  Review "How to search for SPNs" documented below with a step-by-step.

NOTE: It is important to remember that installing on Microsoft Windows Server 2008 you should right click on the executable and select "Run As Administrator"

HOW TO CONFIRM THE USER IS A SYSADMIN

  1. Open Microsoft SQL Server Management Studio and log in to your SQL Server.

  2. Expand Security and then Logins.

  3. Select and right-click the account that you are currently logged in with on the FIM Synchronization Manager 2010 computer.

  4. Select Properties and then Server Roles.

  5. Make sure sysadmin is checked.

HOW TO CREATE A UDL FILE

  1. Minimize all open windows on the desktop (Windows Key + D).

  2. Create a new text file called testcon.udl ( NOTE: You might need to enable the folder settings to see the file extensions and make sure that the file extension is .UDL.)

  3. Double-click testcon.udl.

  4. On the Connection Tab, select or type the name of the server.

  5. Select Use Windows NT Integrated security.

  6. Click Test Connection.

 

HOW TO SEARCH FOR SPNs

  1. Open a command-prompt and type setspn -l <Domain Name>/<Service Name>

  2. Find other examples documented here: http://technet.microsoft.com/en-us/library/cc755413(WS.10).aspx

See Also

  • Linked Technet forum announcement (*)
  • KB 2352595:   "Error 25009" error occurs when you try to upgrade to Forefront Identity Manager 2010 from Identity Lifecycle Manager 2007 Feature Pack 1 Service Pack 1 (Error 25009. The Forefront Identity Manager Synchronization Service setup wizard cannot configure the specified database. Invalid column name 'object_type'.)
  • Troubleshooting FIM 2010 Roadmap

Note

To provide feedback about this article, create a post on the FIM TechNet Forum. (See also *)