6 Replies Latest reply on Jan 20, 2010 9:12 AM by StefanT

    ePO 4.5 Application Server Service


      We are running ePO 4.5 Patch 1 in both a Windows Domain and Workgroup scenario. It is our standard policy to run the server service accounts as a user and not under local system, however, if I set the ePO Application Server Service to a user account which is a member of the local administrators group I get the following errors in the server.log file on restart:


      #7320     NAISIGN     Failed to aquire certificate private key provider. Error=0x80090016

           "        NAIMSRV   Failed to decrypt using the certificate

           "               "          Failed to process server key information

                                      Shutting down server...

                                      Releasing DAL Connection Pool...

                                      Releasing File Locks...

                                      Releasing Agent Cache...

                                      Releasing Task cache...

                                      Cleaning up temp directory...

                                      ePolicy Orchestrator server stopped


      If I set the service back to LocalSystem it is fine.


      The user account is granted the "Logon as a service right" in the local security policy.


      Any ideas?





        • 1. Re: ePO 4.5 Application Server Service

          I was able to re-produce this issue using ePO 4.5 patch 1 on Windows 2008 64-bit using both local and domain admin accounts. I'll see if I can figure out the correct permissions and post another reply.



          Message was edited by: Jeremy Stanley on 1/18/10 1:27:39 PM CST



          Message was edited by: Jeremy Stanley on 1/18/10 2:21:16 PM CST
          • 2. Re: ePO 4.5 Application Server Service

            That's great Jeremy, I'll await your reply.



            • 3. Re: ePO 4.5 Application Server Service

              I was able to correct the error by regenerating the certs. Please apply steps 8-12 from KB66616:



              After going through those steps on my test server I no longer received the errors in the apache log and I did confirm that my existing agents could successfully communicate with the ePO server on port 443.

              • 4. Re: ePO 4.5 Application Server Service

                Really? So that has to be done everytime the service logon is changed from system?


                That's a real PITA as I'm writing internal documentation on the installation of our AV system and by changing the server service account I have to include the steps to re-generate the certs!


                We never had this problem in 3.6.1, I thought we were supposed to be making progress!?



                • 5. Re: ePO 4.5 Application Server Service

                  Actually once you run those commands while the apache/tomcat services are running under a domain or local admin account the SSL certs will have been created with an account with those permissions therefore you do not have to re-gen the SSL certs after doing this if you switch to another account with similar permissions (ie another domain admin account). I confirmed this by switching to both a local admin account and to another domain admin account and after restarting the ePO services the server.log did not indicate any problems and agents were still able to communicate.


                  We certainly are making progress in ePO 3.6.x we did not support the industry standard SSL encryption for agent-to-server communication (we used our proprietary SPIPE protocol to encrypt the payload rather than the connection itself) while now in ePO 4.5 we do.

                  • 6. Re: ePO 4.5 Application Server Service

                    Thanks Jeremy.


                    My progress comment was tongue in cheek, ePO 4.5 is miles apart from 3.6.1 in an improved way!