SBS 2008 Update Rollup 2 (KB 960911) Installation Failure
[Today's post comes to us courtesy of the SBS Support Team ]
When you attempt to install SBS 2008 UR 2 (960911) it may fail with error code 6BA "Windows Update encountered and unknown error".
The C:\Windows\WindowsUpdate.log file for this update reports error 0x80070643 / 0x000006BA:
2009-05-05 10:26:47:169 360 1fd0 Agent * Title = Update Rollup 2 for Windows Small Business Server 2008 (KB960911)
2009-05-05 10:26:47:169 360 1fd0 Agent * UpdateId = {BF1AC20A-FB70-4DFA-B9DC-2D749454F4D6}.100
…
…
…
2009-05-05 10:36:49:666 7804 cf0 Handler MSP Error List:
2009-05-05 10:36:49:666 7804 cf0 Handler 1: 1722 2: EnableKerberos 3: C:\Windows\Installer\MSI3833.tmp 4: /EnableKerberos
2009-05-05 10:36:49:666 7804 cf0 Handler : MSI transaction completed. MSI: 0x80070643, Handler: 0x8024200b, Source: No, Reboot: 0
2009-05-05 10:36:49:666 7804 cf0 Handler : WARNING: First failure for update {C4BAE973-589F-4936-8633-AB40A936AD33}, transaction error = 0x8024200b, MSI result = 0x80070643, MSI action = EnableKerberos
2009-05-05 10:36:49:666 360 1a30 AU >>## RESUMED ## AU: Installing update [UpdateId = {BF1AC20A-FB70-4DFA-B9DC-2D749454F4D6}]
2009-05-05 10:36:49:666 7804 cf0 Handler : WARNING: Operation failed at update 0, Exit code = 0x8024200B
2009-05-05 10:36:49:666 360 1a30 AU # WARNING: Install failed, error = 0x80070643 / 0x000006BA
2009-05-05 10:36:49:666 7804 cf0 Handler :::::::::
2009-05-05 10:36:49:666 7804 cf0 Handler :: END :: Handler: MSI Install
2009-05-05 10:36:49:666 7804 cf0 Handler :::::::::::::
Troubleshooting:
One of the actions SBS2008 Update Rollup 2 (UR2) performs is to change the Integrated Windows authentication in the companyweb site from NTLM to Negotiate (Kerberos) to allow you to browse https://companyweb from the server after installing IE rollup 963027, IE8 or Windows 2008 SP 2.
Check the C:\Windows\temp\EnableKerberosLog_2009_<date_time>.log file for more clues.
1. If you see text similar to the log below, it’s most likely that the zone has changed:
2009/05/05 10:36:49| Reading registry keys to get URL for SBS SharePoint
2009/05/05 10:36:49| Url found: https://remote.contoso.com:987
2009/05/05 10:36:49| Trying to enable Kerberos
2009/05/05 10:36:49| Checking if site https://remote.contoso.com:987 is using NTLM
2009/05/05 10:36:50| Webapplication found
2009/05/05 10:36:50| Webapplication is running in app pool with identity NetworkService
2009/05/05 10:36:50| Checking authenticaiton mode for Default zone
2009/05/05 10:36:50| Authentication mode is exclusively-use-ntlm
2009/05/05 10:36:50| The authenticaiton provider is exclusively using ntlm
2009/05/05 10:36:50| Authentcation check passed. The machine is ready for authentication provider configuration
2009/05/05 10:36:50| Calling stsadm.exe to enable Kerberos with parameter "-o authentication -url https://remote.contoso.com:987 -type windows -usewindowsintegrated"
2009/05/05 10:36:52| Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.InstallException: Fail to enable Kerberos with exit code -1
at Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.EnableKerberosHelper.TryEnableKerberos()
at Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.Program.Main(String[] args)
Check the zones in Sharepoint Central Administration.
a. Open Sharepoint 3.0 Central Administration, click the Operations tab, and then click Alternate access mappings (under Global Configuration).
· https://remote.contoso.com:987 should appear in the zone named Default.
· https://companyweb should appear in the zone named Intranet.
· https://<servername:port> should appear in the zone named Default.
b. If https://remote.contoso.com:987 and https://companyweb are not in the zones mentioned above, adjust them accordingly and try installing SBS 2008 Update Rollup 2 again.
Note: https://Remote.contoso.com:987 should be in the Default zone. If it is in the Internet zone, this can prevent SBS 2008 UR2 from changing the authentication mode on companyweb and resulting in the SBS 2008 UR2 installation failure.
2. If you see text similar to the log below, you may need to re-specify the external domain name in the IAMW.
2009/05/05 11:00:25| Reading registry keys to get URL for SBS SharePoint
2009/05/05 11:00:25| Url found: https://.contoso.local:987
2009/05/05 11:00:25| Trying to enable Kerberos
2009/05/05 11:00:25| Checking if site https://.contoso.local:987 is using NTLM
2009/05/05 11:00:25|
Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.InstallException:
https://.contoso.local:987 is not in correct URI format --->
Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.KerberosConfigurationExcepti
on: https://.contoso.local:987 is not in correct URI format --->
System.UriFormatException: Invalid URI: The hostname could not be parsed.
at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
at
Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.EnableKerberosHelper.SiteIsU
singNTLM(String url)
--- End of inner exception stack trace ---
Re-run the IAMW to set the proper URL.
a. Open the Windows SBS Console. On the Home tab, click Set up your Internet address.
b. Specify a valid external domain name in the wizard like contoso.com (not contoso.local).
c. Try installing SBS 2008 Update Rollup 2 again.
3. If the only text you see in the log is like the example below, your companyweb site may be inaccessible for some reason.
2009/05/05 11:00:25| Reading registry keys to get URL for SBS SharePoint
2009/05/05 11:00:25| Url found: https://remote.contoso.com:987
2009/05/05 11:00:25| Trying to enable Kerberos
OR
2009/05/05 13:28:41| Rolling back to NTLM
2009/05/05 13:28:41| The install was not started. Nothing to rollback
Sharepoint is inaccessible.
See this post for the details:
4. If you’ve made it to this point and it’s still not fixed, consider engaging Microsoft Support for assistance.
Comments
Anonymous
January 01, 2003
PingBack from http://www.netdeluxo.com/blog/blogs/the-official-sbs-blog-sbs-2008-update-rollup-2-kb-960911/Anonymous
January 01, 2003
242 Microsoft Team blogs searched, 118 blogs have new articles in the past 7 days. 314 new articles foundAnonymous
May 08, 2009
Troubleshooting #2: There is a problem when the PublicFQDNPrefix is not set. the Update is concatenating the URL as follow: https://[PublicFQDNPrefix].[PublicFQDNProvider]:987 So if there is no PublicFQDNPrefix, the URL will be malformed. If the PublicFQDNPrefix is set, but the not available, the Update installes correctly, but not changing to Kerberos, because the site was not reachable. Remarks: PublicFQDNPrefix can be found in the Registry under HKLMSoftwareMicrosoftSmallBusinessServerNetworkingAnonymous
May 08, 2009
The comment has been removedAnonymous
May 11, 2009
I do not use a domain prefix and this update would not install until I used the IAMW to configure a prefix. Kept getting the error in item 2. So, configured prefix, installed update, reboot, remove prefix, reinstalled trusted thawte cert. For future updates, please consider that many of us do not use a domain prefix.Anonymous
May 15, 2009
Hi, as for the "re-specify the external domain name in the IAMW": Is the conclusiopn right, that the adress has to be confugured as: remote.contoso.com (explicitly the subdomain "remote"). Because we configured ist as "contoso.com" (not ".local"!!!) and still get the exception: https://.contoso.com:987 is not in correct URI format Microsoft got to be kiddin me 8-| TimAnonymous
May 17, 2009
Im am using a no-ip domain and don't require the "remote" domain prefix when setting up the internet address. This configuration makes the rollup fail as described above. I ran the setup your Internet Address wizard again and let it use the remote prefix, reinstalled the rollup successfully this time and then reset the address back to how I wanted it by re-running the wizard.