Installation

Upgrade of Splunk Universal Forwarder - "Specified account already exists"

jmcg-imperva
Engager

Hi,

I'm trying to update the Splunk UF on a machine, but when running the MSI installer I'm getting a "The specified account already exists" and then the MSI fails to install. 

I've googled some generic failures around this, but none have worked so far.

Has anyone experienced this or able to flag to how troubleshoot it?

Thanks.

Labels (3)
0 Karma
1 Solution

jho-splunk
Splunk Employee
Splunk Employee

Hi again @jmcg-imperva!

Interesting.  Based on this article, I wonder if there's something wonky in the Registry: https://kc.mcafee.com/corporate/index?page=content&id=KB88018

May I ask what version you're upgrading from, and what version you're upgrading to?

Cheers,

 

 - Jo.

 

View solution in original post

vineet_singla
Engager

It gives the same error when upgrading from Splunk UF 7.1 to Splunk UF 9.0 on windows server 2012 R2.
Error 1316. The specified account already exists

The mcafee link is broken so cannot see the resolution. Could someone share what registry should I look for and remove it?

0 Karma

jho-splunk
Splunk Employee
Splunk Employee

Hi @jmcg-imperva ,

Try rerunning the installation with logging enabled:

msiexec /l*vx msiexec.log /i <splunk.msi>

Then search for "return value 3", and look at a few lines before it.

If it's not obvious from that, please feel free to post a snippet here.

Cheers,

 

 - Jo.

 

0 Karma

jmcg-imperva
Engager

Thanks Jo!

Log extract as below:

MSI (s) (F0:48) [16:31:03:074]: PROPERTY CHANGE: Adding SourceDir property. Its value is 'C:\Windows\Installer\'.
MSI (s) (F0:48) [16:31:03:074]: PROPERTY CHANGE: Adding SOURCEDIR property. Its value is 'C:\Windows\Installer\'.
MSI (s) (F0:48) [16:31:03:074]: PROPERTY CHANGE: Adding SourcedirProduct property. Its value is '{D23A0D86-94B2-4BFA-9703-4C403A602C33}'.
MSI (s) (F0:48) [16:31:03:074]: SOURCEDIR ==> C:\Windows\Installer\
MSI (s) (F0:48) [16:31:03:074]: SOURCEDIR product ==> {D23A0D86-94B2-4BFA-9703-4C403A602C33}
MSI (s) (F0:48) [16:31:03:074]: SECREPAIR: CryptAcquireContext succeeded
MSI (s) (F0:48) [16:31:03:074]: Using cached product context: machine assigned for product: 68D0A32D2B49AFB47930C404A306C233
MSI (s) (F0:48) [16:31:03:074]: Determining source type
MSI (s) (F0:48) [16:31:03:074]: Note: 1: 2203 2: C:\Windows\Installer\splunkFW.msi 3: -2147287038 
MSI (s) (F0:48) [16:31:03:074]: Note: 1: 1316 2: C:\Windows\Installer\splunkFW.msi 
MSI (s) (F0:48) [16:31:03:074]: SECREPAIR: Error determining package source type
MSI (s) (F0:48) [16:31:03:074]: SECUREREPAIR: SecureRepair Failed. Error code: 52473D75628
Error 1316. The specified account already exists.

MSI (s) (F0:48) [16:31:04:371]: Note: 1: 2205 2:  3: Error 
MSI (s) (F0:48) [16:31:04:371]: Note: 1: 2228 2:  3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 
MSI (s) (F0:48) [16:31:04:371]: Product: UniversalForwarder -- Error 1316. The specified account already exists.

Action ended 16:31:04: InstallFinalize. Return value 3.
0 Karma

jho-splunk
Splunk Employee
Splunk Employee

Hi again @jmcg-imperva!

Interesting.  Based on this article, I wonder if there's something wonky in the Registry: https://kc.mcafee.com/corporate/index?page=content&id=KB88018

May I ask what version you're upgrading from, and what version you're upgrading to?

Cheers,

 

 - Jo.

 

Tyler
Explorer

This was the issue for me as well, but unfortunately renaming isn't as straight forward. PackageName is a GUID, not a filename. Since I deploy through Intune, I assume this is why. The GUID is likely of the app package file.

In the end, I used Orca to change the PackageCode and ProductCode GUIDs. Then, I could install like normal,

 

msiexec.exe /i "C:\Path\To\splunkuf.msi"

 

Why? There's no easy way to change the service account credentials or the Pass4SymmKey. A reinstall is the easiest, and the most reliable. Using MSIs in this way is a bit "unorthodox".

0 Karma

jmcg-imperva
Engager

Hey @jho-splunk ,

Thanks for the info.

I found the registry entry under that branch & removed it. It seemed that the UF agent was on the machine a while ago but wasn't there now. I deleted the branch & the install then completed.

Cheers,
Joni.

0 Karma

jho-splunk
Splunk Employee
Splunk Employee

Hey @jmcg-imperva!

Awesome!  Thanks for letting us know!  &:)

Cheers,

 

 - Jo.

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...