"Management server connection failed. Could not connect to the Management Server." and "Could not start the Sophos Management Service...". Error 0x80004005: Unspecified error

  • N.º del artículo: 111898
  • Actualizado: 17 oct 2014
Issue

When you attempt to launch the Console the following error is displayed:

Management server connection failed
Could not connect to the Management Server.

This may be due to one of the following:
• Local network problems
• Management service has stopped on the server
• Your database service has stopped.

Either attempt to reconnect or close the application. Attempting to reconnect may take a few minutes.

Clicking 'Reconnect' fails.

In addition to the above message, when you attempt to start the 'Sophos Management Service' service from Windows services (Start | Run, then type: services.msc | Press return), the following error is displayed:

Could not start the Sophos Management Service on Local Computer.
Error 0x80004005: Unspecified error

This article provides more information about possible errors you may find in the Windows Event log that are attributed to the above symptoms and what to do when you find them.

First seen in

Sophos Enterprise Manager 4.7.0
Enterprise Console 4.5.0

What To Do

Open the Windows Application event log

  1. On the computer running the Sophos Management server open the Windows event viewer (Start | Run | Type: eventvwr.msc | Press return).
  2. From the left hand tree select the 'Application' log.
    Note: In Windows 2008/7/2012 you must first expand the folder 'Windows log' and then select the 'Application' log.
  3. Scroll through the list of log entries and locate the most recent error regarding the Sophos Management Service with Event ID 8004.
  4. In the 'Description' field note the message that begins with the word 'Data:'.
  5. Locate the error in the list below.

Note:

  • On a Windows 2008/7/2012 computer the 'Level' column will show 'Error' and the 'Source' column will show 'Sophos Management Service'.
  • If you already had the Event Viewer open when the error was logged you must refresh the log to show the error.
  • If you cannot find the error attempt to restart the Sophos Management Service from the Windows Services list (Start | Run | Type: services.msc | Press return), refresh the Event Viewer and the error will be logged as the latest entry.

Select the error that applies

From the list below select the error that is shown.

What if the error shown is not listed above?

If the error shown in the computer's Event Viewer is not listed above run the Sophos Diagnostic Utility (SDU) on the management server and submit the output file to Support.



Cannot open database SOPHOS45 requested by the login. The login failed
Cause See Cannot open database SOPHOS47 for same troubleshooting.
What to do

[ TOP ]

Cannot open database SOPHOS47 requested by the login. The login failed
Cause DatabaseConnectionMS connection string has the wrong database name in it.
In this example the management service has attempted to connect to a database called SOPHOS47 which doesn't exist.
What to do Check the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\EE\Management Tools\DatabaseConnectionMS
The string should be in the format:

Provider=SQLOLEDB;Integrated Security=SSPI;Initial Catalog=SOPHOS47;Data Source=server\SOPHOS;
Where in this example the database is SOPHOS47.

Note: For more information on the exact database name for each console version see article 17323.

[ TOP ]

Cannot open database SOPHOS521 requested by the login. The login failed
Cause There are various causes for this issue.
  1. The database does not exist.
  2. The database account is not a member of the Windows 'Sophos DB Admins' group.
  3. The database account does not have sufficient rights to access the database.
    Providing that the correct database exists and the database account is a member of the Windows security group 'Sophos DB Admins', it is likely that the SID of this group in Windows is different from that stored in SQL.  As a result, the database user does not have access to the database.
What to Do
  1. Check that the database exists in the SQL instance.  See article 17323 for a list of expected databases for each version of Enterprise Console.  If the database does not exist in the SQL instance you need to create it either by running the installer or running the scripts.
  2. Determine your database account.  Ensure that this Windows account is a member of the Windows security group 'Sophos DB Admins'. 
    Note: If the database component is installed on a domain controller this will be a domain local group, otherwise, it will be a local group.  
    If not, add the database user to the group and restart the "Sophos Management Service".
  3. Providing that the correct database exists and the database account is a member of the Windows security group 'Sophos DB Admins', it is likely that the SID of the group in Windows is different from that stored in SQL Server.
    Note: You may also see a 'Failure Audit',  Event ID 18456 from source MSSQL$SOPHOS in the application event log.  This same message is also logged in the SQL Server ERRORLOG file. 

    Run the following commands in a command prompt on the database server from the Enterprise Console directory, e.g., \program files\sophos\enterprise console\ (or \program files (x86)\... on a 64-bit computer)...

    sqlcmd -E -S .\SOPHOS -d SOPHOS521 -i ResetUserMappings.sql
    sqlcmd -E -S .\SOPHOS -d SOPHOSPATCH52 -i ResetUserMappings.sql
    sqlcmd -E -S .\SOPHOS -d SOPHOSENC52 -i ResetUserMappings.sql
    sqlcmd -E -S .\SOPHOS -d SophosSecurity -i ResetUserMappings.sql


    If running this command returns the error:

    The name change cannot be performed because the SID of the new name does not match the old SID of the principal.

    ...the problem is the mapping between the Windows group 'Sophos DB Admins' and the SQL Login.  To fix this issue, run the following commands, substituting SERVERNAME for your domain name if 'Sophos DB Admins' is a domain group; otherwise enter the computer name where the 'Sophos DB Admins' group resides.  
    Note: The square brackets are required.

    sqlcmd -E -S .\sophos -Q "DROP LOGIN [SERVERNAME\Sophos DB Admins]"

    sqlcmd -E -S .\sophos -Q "CREATE LOGIN [SERVERNAME\Sophos DB Admins] FROM WINDOWS"

    Once complete, re-run the previous commands, i.e.:
    sqlcmd -E -S .\SOPHOS -d SOPHOS521 -i ResetUserMappings.sql
    sqlcmd -E -S .\SOPHOS -d SOPHOSPATCH52 -i ResetUserMappings.sql
    sqlcmd -E -S .\SOPHOS -d SOPHOSENC52 -i ResetUserMappings.sql
    sqlcmd -E -S .\SOPHOS -d SophosSecurity -i ResetUserMappings.sql


    Attempt to start the Sophos Management Service.  Also see article: 116454.

[ TOP ]

Cannot open database SOPHOS52 requested by the login. The login failed
Cause There are various causes for this issue.
  1. The database does not exist.
  2. The database account is not a member of the Windows 'Sophos DB Admins' group.
  3. The database account does not have sufficient rights to access the database.
    Providing that the correct database exists and the database account is a member of the Windows security group 'Sophos DB Admins', it is likely that the SID of this group in Windows is different from that stored in SQL.  As a result, the database user does not have access to the database.
What to Do
  1. Check that the database exists in the SQL instance.  See article 17323 for a list of expected databases for each version of Enterprise Console.  If the database does not exist in the SQL instance you need to create it either by running the installer or running the scripts.
  2. Determine your database account.  Ensure that this Windows account is a member of the Windows security group 'Sophos DB Admins'. 
    Note: If the database component is installed on a domain controller this will be a domain local group, otherwise, it will be a local group.  
    If not, add the database user to the group and restart the "Sophos Management Service".
  3. Providing that the correct database exists and the database account is a member of the Windows security group 'Sophos DB Admins', it is likely that the SID of the group in Windows is different from that stored in SQL Server.
    Note: You may also see a 'Failure Audit',  Event ID 18456 from source MSSQL$SOPHOS in the application event log.  This same message is also logged in the SQL Server ERRORLOG file. 

    Run the following commands in a command prompt on the database server from the Enterprise Console directory, e.g., \program files\sophos\enterprise console\ (or \program files (x86)\... on a 64-bit computer)...

    sqlcmd -E -S .\SOPHOS -d SOPHOS52 -i ResetUserMappings.sql
    sqlcmd -E -S .\SOPHOS -d SOPHOSPATCH52 -i ResetUserMappings.sql
    sqlcmd -E -S .\SOPHOS -d SOPHOSENC52 -i ResetUserMappings.sql
    sqlcmd -E -S .\SOPHOS -d SophosSecurity -i ResetUserMappings.sql


    If running this command returns the error:

    The name change cannot be performed because the SID of the new name does not match the old SID of the principal.

    ...the problem is the mapping between the Windows group 'Sophos DB Admins' and the SQL Login.  To fix this issue, run the following commands, substituting SERVERNAME for your domain name if 'Sophos DB Admins' is a domain group; otherwise enter the computer name where the 'Sophos DB Admins' group resides.  
    Note: The square brackets are required.

    sqlcmd -E -S .\sophos -Q "DROP LOGIN [SERVERNAME\Sophos DB Admins]"

    sqlcmd -E -S .\sophos -Q "CREATE LOGIN [SERVERNAME\Sophos DB Admins] FROM WINDOWS"

    Once complete, re-run the previous commands, i.e.:
    sqlcmd -E -S .\SOPHOS -d SOPHOS52 -i ResetUserMappings.sql
    sqlcmd -E -S .\SOPHOS -d SOPHOSPATCH52 -i ResetUserMappings.sql
    sqlcmd -E -S .\SOPHOS -d SOPHOSENC52 -i ResetUserMappings.sql
    sqlcmd -E -S .\SOPHOS -d SophosSecurity -i ResetUserMappings.sql


    Attempt to start the Sophos Management Service.  Also see article: 116454.

[ TOP ]

Cannot open database SOPHOS51 requested by the login. The login failed
Cause There are various causes for this issue.
  1. The database does not exist.
  2. The database account is not a member of the Windows 'Sophos DB Admins' group.
  3. The database account does not have sufficient rights to access the database.
    Providing that the correct database exists and the database account is a member of the Windows security group 'Sophos DB Admins', it is likely that the SID of this group in Windows is different from that stored in SQL.  As a result, the database user does not have access to the database.
What to Do
  1. Check that the database exists in the SQL instance.  See article 17323 for a list of expected databases for each version of Enterprise Console.  If the database does not exist in the SQL instance you need to create it either by running the installer or running the scripts.
  2. Determine your database account.  Ensure that this Windows account is a member of the Windows security group 'Sophos DB Admins'. 
    Note: If the database component is installed on a domain controller this will be a domain local group, otherwise, it will be a local group.  
    If not, add the database user to the group and restart the "Sophos Management Service".
  3. Providing that the correct database exists and the database account is a member of the Windows security group 'Sophos DB Admins', it is likely that the SID of the group in Windows is different from that stored in SQL Server.
    Note: You may also see a 'Failure Audit',  Event ID 18456 from source MSSQL$SOPHOS in the application event log.  This same message is also logged in the SQL Server ERRORLOG file. 

    Run the following commands in a command prompt on the database server from the Enterprise Console directory, e.g., \program files\sophos\enterprise console\ (or \program files (x86)\... on a 64-bit computer)...

    sqlcmd -E -S .\SOPHOS -d SOPHOS51 -i ResetUserMappings.sql
    sqlcmd -E -S .\SOPHOS -d SOPHOSPATCH51 -i ResetUserMappings.sql
    sqlcmd -E -S .\SOPHOS -d SOPHOSENC51 -i ResetUserMappings.sql


    If running this command returns the error:

    The name change cannot be performed because the SID of the new name does not match the old SID of the principal.

    ...the problem is the mapping between the Windows group 'Sophos DB Admins' and the SQL Login.  To fix this issue, run the following commands, substituting SERVERNAME for your domain name if 'Sophos DB Admins' is a domain group; otherwise enter the computer name where the 'Sophos DB Admins' group resides.  
    Note: The square brackets are required.

    sqlcmd -E -S .\sophos -Q "DROP LOGIN [SERVERNAME\Sophos DB Admins]"

    sqlcmd -E -S .\sophos -Q "CREATE LOGIN [SERVERNAME\Sophos DB Admins] FROM WINDOWS"

    Once complete, re-run the previous commands, i.e.:
    sqlcmd -E -S .\SOPHOS -d SOPHOS51 -i ResetUserMappings.sql
    sqlcmd -E -S .\SOPHOS -d SOPHOSPATCH51 -i ResetUserMappings.sql
    sqlcmd -E -S .\SOPHOS -d SOPHOSENC51 -i ResetUserMappings.sql


    Attempt to start the Sophos Management Service.  Also see article: 116454.

[ TOP ]

Cannot open database SOPHOS50 requested by the login. The login failed
Cause There are various causes for this issue.
  1. The database does not exist.
  2. The database account is not a member of the Windows 'Sophos DB Admins' group.
  3. The database account does not have sufficient rights to access the database.
    Providing that the correct database exists and the database account is a member of the Windows security group 'Sophos DB Admins', it is likely that the SID of this group in Windows is different from that stored in SQL.  As a result, the database user does not have access to the database.
What to Do
  1. Check that the database exists in the SQL instance.  See article 17323 for a list of expected databases for each version of Enterprise Console.  If the database does not exist in the SQL instance you need to create it either by running the installer or running the scripts.
  2. Determine your database account.  Ensure that this Windows account is a member of the Windows security group 'Sophos DB Admins'. 
    Note: If the database component is installed on a domain controller this will be a domain local group, otherwise, it will be a local group.  
    If not, add the database user to the group and restart the "Sophos Management Service".
  3. Providing that the correct database exists and the database account is a member of the Windows security group 'Sophos DB Admins', it is likely that the SID of the group in Windows is different from that stored in SQL Server.
    Note: You may also see a 'Failure Audit',  Event ID 18456 from source MSSQL$SOPHOS in the application event log.  This same message is also logged in the SQL Server ERRORLOG file. 

    1. Download the file: ResetUserMappings.sql.txt to 'C:\'
    2. Remove the .txt from the file name so the file name is C:\ResetUserMappings.sql
    3. Run the following commands:
      sqlcmd -E -S .\SOPHOS -d SOPHOS50 -i C:\ResetUserMappings.sql
      sqlcmd -E -S .\SOPHOS -d SOPHOSPATCH -i C:\ResetUserMappings.sql


      If running this command returns the error:

      The name change cannot be performed because the SID of the new name does not match the old SID of the principal.

      ...the problem is the mapping between the Windows group 'Sophos DB Admins' and the SQL Login.  To fix this issue, run the following commands, substituting SERVERNAME for your domain name if 'Sophos DB Admins' is a domain group; otherwise enter the computer name where the 'Sophos DB Admins' group resides.  
      Note: The square brackets are required.

      sqlcmd -E -S .\sophos -Q "DROP LOGIN [SERVERNAME\Sophos DB Admins]"

      sqlcmd -E -S .\sophos -Q "CREATE LOGIN [SERVERNAME\Sophos DB Admins] FROM WINDOWS"

      Once complete, re-run the previous commands, i.e.:
      sqlcmd -E -S .\SOPHOS -d SOPHOS50 -i C:\ResetUserMappings.sql
      sqlcmd -E -S .\SOPHOS -d SOPHOSPATCH -i C:\ResetUserMappings.sql


      Attempt to start the Sophos Management Service. Also see article: 116454.

[ TOP ]

[DBNETLIB][ConnectionOpen (Connect()).]SQL Server does not exist or access denied.
Cause There are various causes for this issue.
  1. The wrong SQL instance is specified in the connection string.
  2. The SQL instance referenced is not started.
  3. The management server can not resolve the address of the SQL Server as it is specified in the connection string.
What to do Check the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\EE\Management Tools\DatabaseConnectionMS
for the connection string the management service uses to connect to the SQL Server instance. It should be in the format:
Provider=SQLOLEDB;Integrated Security=SSPI;Initial Catalog=SOPHOS51;Data Source=Server\SOPHOS;

Note: In the above example the management service will attempt to connect to a 'SOPHOS51' database in an SQL instance called 'SOPHOS' on the computer called 'Server'.

Perform the following tests:
  1. Check that the SQL Server service referenced in the connection string established above is started.  Typically on a default installation this service is called 'SQL Server (SOPHOS)'.
  2. Ensure that the SQL server referenced in the connection string can be resolved by the management server (ping and nslookup).
  3. Check that the SQL Server instance hosts the database name referenced in the connection string.
    sqlcmd -E -S .\sophos -Q "select name from sysdatabases"
  4. Create a UDL test file to test connectivity to the SQL database and appropriate database.
  5. If the SQL Server instance is remote to the management server, check that SQL Server is accepting remote TCP/IP connections.  This can be checked using the 'SQL Server Configuration Manager', accessible from the Start menu.

[ TOP ]

Failed to reveal datbase user password , reason :Obscure:Invalid algorithm ident=144
Note: There is a typo (datbase) in this message in the Windows Application Event log.
Cause Clear text password (when UseClearText is 0) or a password that hasn't been obfuscated correctly.
What to do Check the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\EE\Management Tools\DatabaseUser\DatabaseUserPassword
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\EE\Management Tools\DatabaseUser\UseClearText


If 'UseClearText' is 0, ensure that the 'DatabaseUserPassword' has a valid obfuscated password.

Note: obfuscationutil.exe -w should be used if you need to re-create/change the password.  For more information on re-obfuscating the password see article 13094.

[ TOP ]

createAccessToken: LogonUser failed
Note: This message maybe seen:

createAccessToken: LogonUser failed
----- [outer exception] -----
-- error: 0x8000FFFF (Catastrophic failure)
-- facility: Generic (System)

at __thiscall bl::CReusingManagementServiceClientBroker::Pointers::Pointers(class ATL::CComPtr)
at class ATL::CComPtr __thiscall bl::CReusingManagementServiceClientBroker::logIn(void)
at int __cdecl Run(int,enum bl::ConsoleType::Type)
at int __stdcall wWinMain(struct HINSTANCE__ *,struct HINSTANCE__ *,wchar_t *,int)
Cause Management service impersonation account cannot logon to the computer.
What to do Check the database account can log on to the management server computer, no policy is preventing it (DC - admins only for example)

Check the account details specified in:
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\EE\Management Tools\DatabaseUser
are correct and the account as specified can log on to the local computer. Running the following command in a command prompt:
runas /user:[account] cmd
would be a good test that the account can log on to the computer. 

Note: If you have changed the password of this account it is recommended that you re-run the installer to re-enter the new account details.  The extracted installer can typically be found in the location: 'C:\sec_[Version]\ServerInstaller\setup.exe'.  E.g. 'C:\sec_52\ServerInstaller\setup.exe'. Re-running the installer will allow you to modify the installation.

[ TOP ]

Provider cannot be found. It may not be properly installed.
Cause The provider specified in the connection string is incorrect or not functional.
What to do Check the DatabaseConnectionMS registry key for the provider being used, e.g. SQLOLEDB.
Check this is working with a UDL test as the same account the management service is accessing the database as.

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]Sophos\EE\Management Tools\DatabaseConnectionMS

The string should be in the format:

Provider=SQLOLEDB;Integrated Security=SSPI;Initial Catalog=SOPHOS47;Data Source=Server\SOPHOS;

Where in this example the provider is SQLOLEDB.

[ TOP ]

ErrorUnexpected
Cause The management service has connected to the database but the check to see the upgrade state has returned a 0, rather than a 2.
What to do Ensure that the database the management service is pointing to is correct and has been successfully updated with the old data if this was an upgrade.

As an example the error:
Step: Migrating data if necessary
Error: std::runtime_error
Data: ErrorUnexpected.


May be encountered during a new installation of the management server if a previous version of the Sophos database is attached to the SQL database instance - in which case article 17508 should be referred to.

[ TOP ]

Incompatible database schema. Expected: 450000.1 actual: 400100.0
Cause The management service is pointing at the wrong database.
What to do

Ensure that the database the management service is pointing to is correct.  In the example above a console 4.5 management service is pointing to a SOPHOS4 database rather than a SOPHOS45 database.

Check the DatabaseConnectionMS registry key has the correct "Catalog" value.

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]Sophos\EE\Management Tools\DatabaseConnectionMS
The string should be in the format:

Provider=SQLOLEDB;Integrated Security=SSPI;Initial Catalog=SOPHOS45;Data Source=Server\SOPHOS;

[ TOP ]

Database upgrade failed. Please see KBA 113946.
Cause See KBA 113946.
What to do

[ TOP ]


 
Si necesita más ayuda, póngase en contacto con soporte técnico.

Valore el artículo

Muy malo Excelente

Comentarios