Sophos Enterprise Console: fails to open and gives error 'Management server connection failed' also error 0x80004005

Enterprise Console fails to open and gives the following error (note there are other causes of the error as well, but this one specifically has a failure when starting the Sophos Management Service - others can be accessed via the links below):

Management server connection failed 
Could not connect to the Management server. 
This may be due to one of the following: 
Local network problems 
Management service has stopped on the server 
MSDE service has stopped. 

When trying to start the Sophos Management Service it gives error 0x80004005 - the service may also be set to logon as a named account under services.msc.

When you check the Sophos Management Service logs, located at

• C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Endpoint Management\3.0\log\mgmtsvc.xxxxxx.log
  OR if you have Windows 2008
• C:\Users\All Users\Sophos\Sophos Endpoint Management\3.0\log\mgmtsvc.xxxxxx.log

you may see errors similar to:

14.06.2006 11:36:57 0BF8 I SOF: ./MgntSvc-20060614-103657.log

14.06.2006 11:36:57 0BF8 E Error logging on to database

What to do

NOTE: only use this procedure if the database is local.

1. Open Windows services and check the 'Log on as' column to see which account the Sophos Management Service is logging on as.
2. If it is set to a named account, set it back to LocalSystem.
3. If it still does not start, open the Windows registry, and export (back-up) the relevant registry key as follows:
   • For 32-bit computers
     HKEY_LOCAL_MACHINE\SOFTWARE\sophos\EE\Management Tools\DatabaseUser
   • For 64-bit computers
     HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432node\sophos\EE\Management Tools\DatabaseUser
4. Delete the registry key, then restart the Sophos Management Service.

If you need more information or guidance, then please contact technical support.

Distributed Enterprise Console installation error 'Could not start the Management Service... 0x80004005: Unspecified error'

NOTE: The issue and solution described here only applies to Enterprise Console version 4, on a distributed installation i.e. the database has been installed on a different computer to the Sophos Management Service.

If you are experiencing this issue on a non-distributed installation, follow the procedure given for whichever console you run:

• Enterprise Console version 4
• Sophos Control Center version 4

Issue
When you attempt to start the Sophos Management Service from the Windows Service Control Manager, an error is displayed:

Could not start the Sophos Management Service on Local Computer.
Error 0x80004005: Unspecified error

If you then attempt to launch either the Sophos Control Center or Sophos Enterprise Console (with the service not started) the following error is displayed:

Management server connection failed 
Could not connect to the Management Server. 
This may be due to one of the following: 
• Local network problems 
• Management service has stopped on the server 
• Your database service has stopped. 
Either attempt to reconnect or close the application. Attempting to reconnect may take a few minutes.

Clicking 'Reconnect' fails.

Known to affect the following Sophos products and versions
Enterprise Console, version 4
Sophos Control Center, version 4

What to do

Checking the Database Server

1. On the database server please ensure that the relevant SQL service is started.
This is typically named SQL Server (SOPHOS) but in a distributed install may be your own named instance of SQL.

• If this service is running, go to step 2.
• If this service is not running, start the above SQL service and then attempt to start the "Sophos Management Service" on the Sophos Management server. If it then starts your problem is resolved.

2. Check that the SQL instance above contains a SOPHOS4 database.
At a command prompt, run the command:
OSQL –E –S .\SOPHOS –IQ "SELECT Name FROM SYSDATABASES"
where:
.\SOPHOS represents the local Sophos named instance, adjust as required.

This command should return a list of databases attached to this instance, such as: master, tempdb, model, msdb, SOPHOS4.

If it does not contain a SOPHOS4 database go to step 3.
If it does contain a SOPHOS4 database continue to the section below entitled "Checking the Management Server".

3. Steps to create a SOPHOS4 database
Note: Only perform this section if you have been redirected here from another section in this article.

IMPORTANT: This will drop and re-create the SOPHOS4 database. If you are in any doubt please contact Sophos technical support before carrying out this section.

1. Ensure that the security group "Sophos DB Admins" exists.
   N.B. This will be a domain group if installing on a domain controller and a local group if installing on a member server or installing in a workgroup environment.
   • If this group does not exist you must create it manually. Ensure that Administrator, Domain Admins and Enterprise Admins are members (or as appropriate to your environment). Then work through steps 2-7
   • If it does exist go to step 2.
2. Go to Start|Run and type cmd then click 'OK'.
3. At the command prompt type CD "%programfiles%\sophos\Enterprise Console\DB"
   Note: If this directory does not exist you can either:
   1. Run the Sophos Enterprise Console 4 installer on the SQL server choosing a custom install and then selecting the database component. If you choose to use this method, skip to step 5 in this section to confirm the database was created successfully.
   2. Copy the DB directory from another machine which the Database Role has been selected when running the Sophos Enterprise Console 4 installer to the SQL server and continue to step 4.
4. Do one of the following depending on where you are installing:
   • If you are installing on a domain controller, type
     InstallDB.bat .\sophos [DomainName] SOPHOS4 ManualDB.log
   • If you are installing on a member server or in a workgroup environment, type
     InstallDB.bat .\sophos [MachineName] SOPHOS4 ManualDB.log
     Substituting the correct values in place of the text in the square brackets.
5. Once the SOPHOS4 database has been created, test connecting to it by running the command:
   OSQL –E –S .\sophos –d SOPHOS4
   If this fails please repeat the steps in step 3 to create the database.
6. Attempt to start the Sophos Management Service.

6. 
   
   • If the service starts this issue is now resolved.
   • If the Sophos Management Service does not start continue to the next section entitled "Checking the Management Server".

Checking the Management Server

At the Management Server machine, open Regedit and navigate to:
"HKLM\Software\Sophos\EE\Management Tools\" 
Or, depending on your operating system environment this may be:
"HKLM\Software\wow6432node\Sophos\EE\Management Tools"
Locate the data value contained in DatabaseConnectionMS.

This value should contain a string such as:
Provider=SQLOLEDB;Integrated Security=SSPI;Initial Catalog=SOPHOS4;Data Source=SQLServer\SOPHOS; Where: 
The database is SOPHOS4.
The SQL Server name is SQLServer.
The SQL Instance is called SOPHOS.

2. Ensure that this value references the database server, database instance and database name correctly. If incorrect, correct the values as established in the "Checking the Database Server" section.

Attempt to start the Sophos Management Service.

2. 
   
   • If the service starts this issue is now resolved.
   • If the Sophos Management Service does not start go to the next step.
3. Ensure that the account the "Sophos Management Service" is using to connect to the database is correct.
   At the Sophos management server machine, open Regedit and navigate to:
   "HKLM\Software\Sophos\EE\Management Tools\DatabaseUser\"
   Or, depending on your operating system environment this may be:
   "HKLM\Software\wow6432node\Sophos\EE\Management Tools\DatabaseUser\"
   This key contains 4 values:
   DatabaseUserDomain
   DatabaseUserName
   DatabaseUserPassword
   UseClearText

In a distributed install the "Sophos Management Service" will attempt to impersonate the account referenced in the above keys to gain access to the database. This user should be a domain user, or in a workgroup environment exist on both the management server and SQL server with the same password. This account is required to be a member of the Sophos group "Sophos DB Admins"; where "Sophos DB Admins" will be a Local group on the SQL server or a domain group if the database server is a domain controller. Ensure the above key is correct and that if a domain account is being used the DatabaseUserDomain value references a domain name, not the name of a server.

Note: The UseClearText value can be used to perform a quick test to ensure the impersonation account is correct and has access to the database. To use this DWORD value, set it to 1 and then specify a clear text password in the DatabaseUserPassword value.

To re-create an obfuscated password, use the command line utility ObfuscationUtil.exe. This can be found in the Tools directory created by the sec_40_sfx.exe, which is by default "C:\sec_40\tools\". If this has been removed, it can be downloaded here: http://www.sophos.com/tools/ObfuscationUtil_40.exe.

To use the tool, run:
ObfuscationUtil.exe –-obfuscate -w
The output of this can be used in the DatabaseUserPassword value when UseClearText is set to the default of 0.

Once the above account has been confirmed to be correct and it is a member of the "Sophos DB Admins" group attempt to start the Sophos Management Service.

• If the service starts this issue is now resolved.
• If the Sophos Management Service does not start go to the next step.

Ensure that remote connections are enabled for the instance.
To check, at the SQL server run:
"SQLServerManager.msc"
Under Protocols ensure "TCP/IP" and "Named Pipes" are enabled.
Note: If you need to enable them, you will need to restart the service representing the instance.

Once the above configuration has been confirmed to be correct; attempt to restart the "Sophos Management Service".

• 
  
  • If the service starts this issue is now resolved.
  • If the Sophos Management Service does not start go to the next step.
• Is this an upgrade from Sophos Enterprise Console 3 to Sophos Enterprise Console 4?
  • If yes go to step 6
  • If no please contact Sophos technical support for further assistance quoting this article number.

At a command prompt, run the command:
OSQL –E –S .\SOPHOS –Q "SELECT Name FROM SYSDATABASES"
where:
.\SOPHOS represents the local Sophos named instance, adjust as required.

This command should return a list of databases attached to this instance, such as: master, tempdb, model, msdb, SOPHOS4. If this is an upgrade from Sophos Enterprise Console 3 it should also contain a SOPHOS3 database.

Technical details on the upgrade procedure
When upgrading a distributed install, you should run the Sophos Enterprise Console 4 installer on the database machine first to create an empty SOPHOS4 database. You should then go to the management server machine and run the Sophos Enterprise Console 4 installer again. This will upgrade the Sophos Management Server to the version 4. During this upgrade of the management server, the tool UpgradeDB.exe should run with the parameter:

UpgradeDB.exe -sourceVersion=3
where sourceVersion=3 represents the version 3 database (SOPHOS3).

UpgradeDB.exe reads the DatabaseConntectionMS registry key mentioned previously in this article to locate the database instance. UpgradeDB.exe effectively calls a stored procedure in SOPHOS4 called FromXto4. This stored procedure is responsible for checking the existence of any previous SOPHOS3 database to determine if this is an upgrade. If it does not locate a SOPHOS3 database it sets the UpgradeStatus value in the database table Upgrade to a 2 and exits.

In the case of an upgrade, the stored procedure FromXto4 finds the SOPHOS3 database, it then calls the stored Procedure From3to4. The purpose of this stored procedure is to move the data from the previous SOPHOS3 database into the new SOPHOS4 database. If this returns successful the UpgradeStatus value in the Upgrade table in SOPHOS4 should be set to a 2.

If the migration of the data from the SOPHOS3 database to the SOPHOS4 database fails, this will result in the UpgradeStatus not being set to a 2. The management service will therefore not start as the system is in an indeterminate state.

To get a better understanding of why the migration might be failing, run the following command on the database machine:

OSQL -E -S .\SOPHOS -d SOPHOS4 -Q "EXEC FromXto4 3,0"
where:
.\SOPHOS represents the local Sophos named instance, adjust as required.

The following should return a SQL generated error, which will be more meaningful to Sophos technical support.

If you need more information or guidance, then please contact technical support.

Applying permissions to a Windows registry key

This article describes how to change permissions in the registry, in Windows NT/2000/XP/2003/Vista computers. Do not edit the Windows registry unless you are confident about doing so.

Before you edit the registry, you are advised make a backup:

• At the taskbar, click Start|Run. Type 'Regedit' and press 'Return'. On the 'Registry' menu, click 'Export Registry File'. In the Export range panel, click 'All', then save your registry as Backup.

What to do

Windows NT and Windows 2000

1. At the taskbar, click Start|Run. Type 'Regedt32' and press 'Return'.
2. In the 'Registry Editor' window, select the entry for which you want to change the permissions.
3. From the menu at the top of the window, select Security|Permissions.
4. The 'Permissions for <registry key name>' dialog is displayed.
   From here you can
   • select users and change their permissions.
   • click 'Advanced' to open the 'Access Control Settings for <registry key name>' dialog box, and change users access control.
5. When you have completed your changes, click 'OK' to accept them.

Windows 2003 and Windows XP

1. At the taskbar, click Start|Run. Type 'Regedit' and press 'Return'.
2. In the 'Registry Editor' window, right-click the entry which you want to change, and choose 'Permissions'.
3. The 'Permissions for <registry key name>' dialog is displayed.
   From here you can
   • select users and change their permissions.
   • click 'Advanced' to open the 'Access Control Settings for <registry key name>' dialog box, and change users access control.
4. When you have completed your changes, click 'Apply' and 'OK' to accept them.

Windows Vista

1. Click Start, then in the 'Start Search' field, type 'Regedit' and press 'Return'.
2. In the 'Registry Editor' window, right-click the entry which you want to change, and choose 'Permissions'.
3. The 'Permissions for <registry key name>' dialog is displayed.
   From here you can
   • select users and change their permissions.
   • click 'Advanced' to open the 'Access Control Settings for <registry key name>' dialog box, and change users access control.
4. When you have completed your changes, click 'Apply' and 'OK' to accept them.

 If you need more information or guidance, then please contact technical support