Introduction

Consider a scenario where administrator is trying to install ISA Server 2006 Enterprise Edition. During ADAM installation, the setup failed with an error message “setup failed to install ADAM”.

The following details describe the setup: the operating system in use during this installation was Windows Server 2003 R2 and due to the security requirements of the company this server was not allowed to have internet access.

Troubleshooting

In order to troubleshoot this type of error the best way to start is by looking at ADAM setup logs, which by default is located at %windir%\temp and is called ISAADAM_INSTALL_.log. The following error is found:

image

Resolution

In such cases, where we see the above mentioned error in the ADAM setup logs during the process of installation of ADAM, Windows Installer calls WinVerifyTrust() for the verification of the signed certificates and files. To begin with verification, WinVerifyTrust() tries to download a Certificate Revocation List (CRL) to ensure that the certificates are not revoked. Since internet is not available, WinVerifyTrust() is not able to download CRL list and triggers the error that was showed in ISAADAM_INSTALL_.log. In such scenarios, we need to disable CRL check by using setreg tool and change the third option to FALSE, as shown below:

image

Note: Setreg tool is part of the windows SDK which can be downloaded from Microsoft.com

If the Installation fails with the error code 0x80096005 in the ADAM setup logs, then it would be because the ninth option in setreg was set to TRUE. As WinVerifyTrust() tries to verify CRL on a timestamp server to check if the signature is time stamped. (for details about time stamping please refer to the following links: http://technet.microsoft.com/en-us/library/cc780742(WS.10).aspx, http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) To resolve this we need to set this option to FALSE which is the default option. Since we need CRL check enabled on the server for security reasons, we should enable it by setting the third option in setreg to TRUE after we have successfully completed the installation.

Author

Suraj Singh
Support Engineer
Microsoft CSS Forefront Security Edge Team

Technical Reviewer

Yuri Diogenes
Sr Support Escalation Engineer
Microsoft CSS Forefront Security Edge Team