Issue with ServiceCredDlg

Feb 5, 2012 at 4:12 PM

I'm running this on Server 2008 R2.

When I put in a valid username and password combination (not using LocalSystem) and click the Test button, my installer ends prematurely and generates a 1603 MSI error.  If I use LocalSystem it functions correctly.  Also, if I enter an invalid password or use an account that does not have the Logon As a Service right, it generates the appropriate error message.

Here are my properties:

<Property Id="SERVICE_USERNAME" Hidden="yes"/>

<Property Id="SERVICE_PASSWORD" Hidden="yes" />

Within <ServiceInstall:



And the UI:

      <!-- CommonU UI Dialogs-->     

<DialogRef Id="ServiceCredDlg" />     

<DialogRef Id="GenericErrorDlg" />
      <!-- UIExtension Dialogs-->     

<DialogRef Id="WelcomeDlg"/>     

<DialogRef Id="VerifyReadyDlg"/>
      <DialogRef Id="ErrorDlg" />     

<DialogRef Id="FatalError" />     

<DialogRef Id="FilesInUse" />     

<DialogRef Id="UserExit" />

<Publish Dialog="WelcomeDlg" Control="Next" Event="NewDialog" Value="ServiceCredDlg">NOT Installed</Publish>

<Publish Dialog="ServiceCredDlg" Control="Next" Event="NewDialog" Value="VerifyReadyDlg">NOT Installed</Publish>

<Publish Dialog="ServiceCredDlg" Control="Back" Event="NewDialog" Value="WelcomeDlg">NOT Installed</Publish>

<Publish Dialog="VerifyReadyDlg" Control="Back" Event="NewDialog" Value="ServiceCredDlg">NOT Installed</Publish>

<Publish Dialog="ExitDialog" Control="Back" Event="EndDialog" Value="ServiceCredDlg">1</Publish>

<Publish Dialog="ExitDialog" Control="Finish" Event="EndDialog" Value="Return" Order="999">1</Publish>


Feb 5, 2012 at 8:09 PM

I recommend creating an msi log file to hopefully see a more meaningful error.

Feb 5, 2012 at 9:08 PM
Edited Feb 5, 2012 at 9:39 PM

Property(C): CA_ERROR = 0x80070542 - CheckTokenMembership failed: 0x80070542

Ok that is why the MSI is failing.

I also noticed that the IMPERSONATE_PASSWORD property, by default, is in logged in the clear.

EDIT: The error is due to my MSI not elevating prior to the installation, so it doesn't have the correct permissions in order to impersonate the selected account and validate the password.

Feb 6, 2012 at 11:32 AM

The first problem is that to do this kind of check you need to be an administrators. So the MSI has to run within a bootstrapper that elevates its UI. You should get a better error, vs. a failing msi, so it may be worth filing a bug.

The IMPERSONATE_PASSWORD property should be hidden by default. Easy workaround in your WIX source by adding it with hidden=true, I'd appreciate a patch though.