We are currently attempting to install the MIM Hybrid Reporting Agent, as detailed here : https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/working-with-identity-manager-hybrid-reporting
The install fails with Event ID 118 logged in the Application Event log (full details pasted below) "The HTTP request to 'https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc/ClientRegistration/d07a5f73-f053-47f7-8aa8-1823d43a0e89/IMMIMSTPDVVW01/cade92aa-1db7-4c02-aabc-bf9830e10992' has exceeded the allotted timeout "
Proxy access is enabled and the Azure Powershell bits are installed on the server and I am able to connect to the tenant and run various commands to confirm connectivity.
I've enabled verbose MSI reporting and this seems to be the place where the install ends with error status 1603.
SI (s) (DC!48) [10:20:23:172]: Creating MSIHANDLE (37) of type 790531 for thread 9800
CAQuietExec64: Error 0x80070001: CAQuietExec64 Failed
MSI (s) (DC!48) [10:20:23:172]: Closing MSIHANDLE (37) of type 790531 for thread 9800
CustomAction RegisterClient returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (DC:E4) [10:20:23:172]: Closing MSIHANDLE (33) of type 790536 for thread 7588
Action ended 10:20:23: InstallFinalize. Return value 3.
...
...
[10:20:28:124]: Windows Installer installed the product. Product Name: Microsoft Identity Manager Hybrid Reporting. Product Version: 4.3.2041.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.
[Further Update...] I have now taken a network trace and can see three attempts to establish a connection tothe alias of pks.aadg.windows.net.nsatc.net -aadgc.aadg.windows.net.nsatc.net After the hostname is resolved, there is an attempt to send it a SYN for the first part of a 3 way handshake, none of which gets a response. After which there is an “ICMP Destination Unreachable” from the firewall. Therefore, these attempts to connect are not going via the proxy but trying to go directly but are blocked by the firewall. Should these attempts go via the proxy, or is direct connectivity required?
Is there a recommended method for validating if all the required network connectivity is in place?
Any suggestions for next troubleshooting steps would be gratefully received...
Alastair
-
Log Name: Application
Source: MIM Hybrid Reporting Monitoring Agent
Date: 21/11/2016 10:20:23
Event ID: 118
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: IMMIMSTPDVVW01.devswad.net
Description:
Agent.Main;Client activation failed:The request channel timed out while waiting for a reply after 00:01:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have
been a portion of a longer timeout. The HTTP request to 'https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc/ClientRegistration/d07a5f73-f053-47f7-8aa8-1823d43a0e89/IMMIMSTPDVVW01/cade92aa-1db7-4c02-aabc-bf9830e10992' has exceeded the allotted
timeout of 00:01:00. The time allotted to this operation may have been a portion of a longer timeout.
System.TimeoutException: The request channel timed out while waiting for a reply after 00:01:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion
of a longer timeout. ---> System ........