Failed to sign package with Error: 2147942405 . Service user account not a member of local Administrators Group

Failed to sign package with Error: 2147942405 . Service user account not a member of local Administrators Group

Symptoms:

The Automatic package publishing from the Software Vulnerability Manager requires the "Flexera Software Vulnerability Manager Patch Daemon" service installed on your WSUS server. This service performs periodical check in to your SVM server or SVM Cloud and checks if there are any subscribed packages available to publish. Configuration of check-in frequency can be set in "Flexera SVM Patch Configuration" available here

Please note: The Patch Daemon requires the user to be a member of local Administrators and WSUS Administrators on the WSUS server. 

Diagnosis:

If the user account running the path daemon service is not a member of the local Administrators and WSUS Administrators groups, errors will occur due to permissions. 

[10/03/2021 14:27:20|V] --- Stack Trace Begins (0) ---
InvalidOperationException: Failed to sign package; error was: 2147942405
at Microsoft.UpdateServices.Internal.BaseApi.Publisher.SignPackageCab(Boolean dualSign, String httpTimeStamp)
at Microsoft.UpdateServices.Internal.BaseApi.Publisher.PublishPackage(String sourcePath, String additionalSourcePath, String packageDirectoryName, Boolean dualSign, String httpTimeStamp)
at Microsoft.UpdateServices.Internal.BaseApi.Publisher.PublishPackage(String sourcePath, String packageDirectoryName)
at System.Threading.Tasks.Task.Execute()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Flexera.SVM.Patch.Daemon.WsusApi.PublishPackageAsync()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Flexera.SVM.Patch.Daemon.PublishPackageWorkItem.PublishPackageAsync()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Flexera.SVM.Patch.Daemon.DaemonWorkItem.ExecuteTasks()
--- Stack Trace Ends ---


Solution:

1)  Please add your "Flexera Software Vulnerability Manager Patch Daemon" service account user to local Administrators and WSUS Administrators groups on your WSUS server. 

Please note: Some of the security policies in environments do not allow adding users to the local Administrators group but only to WSUS Administrators. 

2) To resolve permission issues when you cannot add a user to the local Administrators group, you would need to configure the below settings to allow your user to publish a package successfully. 

Please give your service user account Full control over all the below items and perform all actions using an administrative account. 

Registry

HKEY_LOCAL_MACHINE\Software\Flexera
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
HKLM\Software\Microsoft\SystemCertificates\Disallowed
HKLM\Software\Microsoft\Update Services\Server\Setup
HKLM\SOFTWARE\Classes\AppID\{8F5D3447-9CCE-455C-BAEF-55D42420143B} - You might have to take ownership of this key. A logged-in user, which is used to configure all permissions, needs full control of this key. This is required when configuring DCOM permissions. Settings for currently logged-in users can be changed back when all is completed. 

 Windows Explorer

C:\ProgramData\Microsoft\Crypto
C:\ProgramData\Flexera Software\SVM Patch

Shares and groups

The service user account needs to be added to WSUS administrators
WSUS administrators need to have full access to WSUS content location. Share and NTFS

DCOM - Distributed Component Object Model

Open Dcomcnfg and go to Component Services> Computers > My Computer > DCOM Config, and modify WSUSCertServer security settings:

Launch and Activation permissions - give Local Launch and Local Activation rights to WSUS administrators group/your service user
Access permissions - give Local Access rights to WSUS administrators group/your service user.

Reboot the machine, after changing DCOM settings

Was this article helpful? Yes No
No ratings
Version history
Revision #:
6 of 6
Last update:
‎May 04, 2021 07:33 AM
Updated by:
 
Contributors