tracker issue : CF-4152217

select a category, or use search below
(searches all categories and all time range)
Title:

"Download and Install" fails when installing on Update 1

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/NotABug

Reporter/Name(from Bugbase): David Belanger / David Belanger (David Belanger)

Created: 05/12/2016

Components: Hot Fix Installer

Versions: 2016

Failure Type: Incorrect w/Workaround

Found In Build/Fixed In Build: CF2016_Final /

Priority/Frequency: Trivial / Unknown

Locale/System: English / Win 2012 Server x64

Vote Count: 0

Problem Description:

When I tried to install update 1, it downloaded correctly then the installer ran and hung on "restart".  Once I logged in again, the update had not been installed.  A quick hit on the update log revealed permission issues.

Steps to Reproduce:

Install CF2016 and follow the Lockdown guide completely (especially the part about the CFUser)

Actual Result:

The hotfix wasn't applied.  Looks like it can't access/delete certain files.

Expected Result:

Hotfix automatically applied, even with the Lockdown guide applied.

Any Workarounds:

Yes, if I ran the hotfix from the command line while logged in as a user with windows administrator priviledges, it gets applied without issue.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4152217

External Customer Info:
External Company:  
External Customer Name: David Belanger
External Customer Email:  
External Test Config: My Hardware and Environment details:



CF2016, no HF, W2012R2 64bit

Attachments:

  1. May 12, 2016 00:00:00: 1_CF2016_Update_1_Install_05_10_2016_13_05_52.txt
  2. May 12, 2016 00:00:00: 2_CF2016_Update_1_Install_05_10_2016_13_14_48.txt
  3. May 12, 2016 00:00:00: 3_CF11_Update_8_Install_05_10_2016_14_36_01.txt
  4. May 12, 2016 00:00:00: 4_CF11_Update_8_Install_05_10_2016_14_59_28.txt
  5. June 07, 2016 00:00:00: 5_Request_Filtering.PNG
  6. June 09, 2016 00:00:00: 6_Adobe_ColdFusion_11_Update_8_Install_06_09_2016_06_01_43.txt
  7. June 09, 2016 00:00:00: 7_Adobe_ColdFusion_11_Update_8_Install_06_09_2016_07_28_58.txt

Comments:

ALSO occurs in CF11 update 8 but NOT in CF10 update 19 (both setup using the lockdown guide as well)
Comment by External U.
2862 | May 12, 2016 08:46:52 AM GMT
Hi David, I have not been able to repro the issue. In my scenario with the created user permission, I have been able to apply the hotfix from the ColdFusion Administrator. Need to know an information as to are the services ( all of the CF 2016 services) running with this user that is created, as in the Log-On User, because for the proper application of the updates this step is necessary. Thanks, Preethi
Comment by S P.
2863 | June 07, 2016 05:36:19 AM GMT
Hello Preethi, Yes both services are marked "Log On As" using a custom username like "./MyCFUserName". Those two services are - ColdFusion 2016 Application Server - ColdFusion 2016 Add-on Services I should note that I followed every single step of the lockdown guide. I'm not sure if it makes a difference but just in case, I've attache a screenshot of the Request Filtering at the server level in IIS. You'll see the /cf_scripts at the end but I'm mapping that directory to a secure directory which I've updated in CFAdmin. I do see that virtual directory in my site so the connector is working. I do this for both CF11 and CF2016
Comment by External U.
2864 | June 07, 2016 07:21:59 AM GMT
Hi David, Looks like the problem is with restarting the server with the non-admin user, because once the hotfix is applied, it tries to restart the server as the non-admin user and it is not able to do that due to permission issues and hence the hotfix is not applied. You might have to follow the instructions as per the blog article below, which is about giving permission to the non-admin user to run the services as that user: http://blogs.coldfusion.com/post.cfm/not-able-to-apply-hotfix-from-coldfusion-10-administrator-on-windows-with-lockdown-guide-imposed-on-server-how-to-set-it-up-to-make-it-work Please let me know if it works for you after following this. Thanks, Preethi
Comment by S P.
2865 | June 09, 2016 12:21:45 AM GMT
Unfortunately it didn't work. I will tell you some things that I noticed though. First, I uninstalled the hf-11-00008 using the command line, restarted the service, and verified that I was back to hf-11-00007. I was. Then, I tried to install hf8 using the CF administrator while watching the services in Windows. I did see the Application service stop and start however the HF wasn't applied. Then, I ran the SubInACL command as specified in your blog post and received a confirmation of Done: 1, Modified: 1. I restarted the service. I tried to apply the hotfix again. It didn't work and again can confirm that I saw the service stop and start. I deleted all directories and files belonging to the hotfix. I restarted the service. I clicked "downloaded and install" in the CF administrator. I saw the service stop and start but again, no luck. I've attached that install log for you to see. Now let me tell you what I find weird. My test user that I set up only for the service (cf_user_secure) now has it's own profile in the C:\Users directory (complete with Desktop, Favorites, the whole thing). I've never logged on with that user so that strikes me as strange. Then, I applied the hf8 from the command line. It ran successfully but actually stopped ALL the services (Add-on, ODBC Agent and ODBC Server too!). When it restarted, it only restarted the Application. I can confirm that the hotfix was applied successfully when run from the command line. If you look at my install log, you'll see that the hotfix failed when copying exe files from the a temp directory in the user profile. Example: Failed to copy hotfix files:C:\Users\cf_user_secure\026225.tmp\dist\cfusion\db\slserver54\bin\swagent.exe: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server. I hope this information helps!
Comment by External U.
2866 | June 09, 2016 06:58:37 AM GMT
Looks like the ODBC and PDFg related services are not being started and stopped properly, due to which the entire process of hotfix application is failing where as the other things pertaining to it look fine. Can you make sure that these services are running with the created user. Also have you give the user permission for these services(Add-on, ODBC Agent and ODBC Server) as well using the tool for start/stop? Because, if not you would not be able to restart these services.
Comment by S P.
2867 | June 09, 2016 07:34:12 AM GMT
I am pleased to say that that worked however, only the Main ColdFusion 11 Application Server service started. While this time all services were correctly stopped, only the main service was started. I had to start the Add-on and both ODBC services manually. I can confirm through the CF administrator that Update 8 was successfully applied and I've attached the log file. Please note the last entry where you can see that a start on the other 3 services wasn't attempted. So, in summary, in order for this to work the following information should be added to the lockdown guide: Download and Install Windows tool named SubInACL.exe from http://www.microsoft.com/en-us/download/confirmation.aspx?id=23510 Then, run the following to give stop/start permissions to the new secure user: "C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /service "\\<MachineName>\ColdFusion 11 Application Server" /grant=<UserName>=TO "C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /service "\\<MachineName>\ColdFusion11Add-onServices" /grant=<UserName>=TO "C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /service "\\<MachineName>\ColdFusion 11 ODBC Agent" /grant=<UserName>=TO "C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /service "\\<MachineName>\ColdFusion 11 ODBC Server" /grant=<UserName>=TO I did the exact same thing for our CF2016 server and I can confirmed that it worked. I used the following commands: "C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /service "\\<MachineName>\ColdFusion 2016 Application Server" /grant=<UserName>=TO "C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /service "\\<MachineName>\ColdFusion2016Add-onServices" /grant=<UserName>=TO (we don't use ODBC on this test server). Unlike the CF11 box, I can confirm that both the CF Application Server AND the Add-on services were restarted correctly. NOTE: All of your service names have spaces in them EXCEPT the Add-on Services which is why I copied the commands I used in this note.
Comment by External U.
2868 | June 09, 2016 08:26:06 AM GMT
Hi David, Thanks for the confirmation about the working, also we will look into what necessary changes can be done to the Lock Down Guide. Thanks, Preethi
Comment by S P.
2869 | June 13, 2016 12:36:14 AM GMT