CSUtil failed

Unanswered Question
Jun 22nd, 2007
User Badges:

I upgraded the ACS from 4.0 to 4.1 and suddenly the scripts that I use for management stopped working.


I could solve all the issues except for 1:

D:\>net stop csauth

The CSAuth servce is stopping.

The CSAuth servce was stopped successfully.


D:>csutil.exe ?u

Can not initialize SchemeLayer


What is that error?

What can I do to solve it?

It doesn?t come up at Cisco.com


Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Premdeep Banga Fri, 06/22/2007 - 15:37
User Badges:
  • Gold, 750 points or more

Hi,


Please log in as a Local Administrator on that system where ACS is installed.


Then execute the CSutil.


this happens if account with which you are logged in doesn't have sufficient privileges.


As you have mentioned that you upgraded the server version from 4.0 to 4.1, if you made services to start with some specific account, after upgrade we need to re-do that.


Also, it could also be due to application of some windows patches that you might have applied.


But in most cases logging as Administrator on that system and running CSUtil wont give you this issue.


Do that and share the result.


Regards,

Prem

rgolcher Mon, 06/25/2007 - 06:46
User Badges:

Hi,


I am logged as administrator with the same error and base on the server administrator it is fully patch.


and yes the same error.

Premdeep Banga Mon, 06/25/2007 - 07:00
User Badges:
  • Gold, 750 points or more

Hi,


Then this is what I would suggest you.


From ACS GUI, System Configuration > ACS Backup > Backup Now. ( 2 or 3 backups)


Make sure that you are able to get the backups from GUI.


Place these backups in a safe location, probably some other drive.


- Uninstall the current ACS version. (Would suggest to run "Clean.exe", that under \ACS Utilities\Support\Clean)

- Completely log off from the system

- Log back in, using Local Administrative rights

- Install the same ACS version and restore the backup from ACS GUI,


System Configuration > ACS Restore > Select both components > Restore.


Try this and let me know.


Regards,

Prem

rgolcher Tue, 06/26/2007 - 18:28
User Badges:

Hi,


I uninstalled with the clean.exe, but when I tried to installed again it send this errors:

Error at V:\ismg_israel_acs\Acs\Cryto\init.cpp line 195, CryptAcquireContext Failed (System Error 0x8009000f)


Error at V:\ismg_israel_acs\Acs\Cryto\init.cpp line 94, crypto Initialise CryptoAPI failed


Could not open Crypto container

Premdeep Banga Wed, 06/27/2007 - 03:55
User Badges:
  • Gold, 750 points or more

Hi,


As we are getting error during installation "Error at V:\ismg_israel_acs\Acs\Crypto\init.cpp" please try this,


You need to locate the old CryptoAPI container used by ACS which may still be on the system. This is normally located in


C:\Documents and Settings\\Application\Data\Microsoft\Crypto\RSA.


There will be one or more files there will very long hexdecimal file names. You need to identify the right one.


Open a Command Prompt in that folder and type

"findstr /I CiscoSecure *.*" - the filename that appears should be the old ACS container.


Delete that file.


If that doesn't resolve the issue, then unfortunately we may need to re-image the system, that has helped to resolve this issue.


Regards,

Prem

rgolcher Wed, 06/27/2007 - 08:58
User Badges:

Hi,



Thanks for your help, deleting the cryptoAPI works just great and reinstalling the ACS solved the CSUtil app


thanks again

Premdeep Banga Wed, 06/27/2007 - 09:02
User Badges:
  • Gold, 750 points or more

Hi Roger,


Glad to know that it worked!


Please mark this thread as resolved, so that others can benefit from it.


Thanks,

Prem

bteravsk Fri, 10/12/2007 - 05:51
User Badges:

In actuality this is the solution to the csutil issue without doing the installation.


I found if you change the local admin account password that attempts to run the csutil command, it would stop working as indicated. Cisco's solution is to either reinstall ACS as stated above, or run csutil as the domain admin account. The domain admin account is very protected within a large enterprise, and is not an option; reinstalling ACS every 90 days when the passwords are required to change is not an option either.


I found that removing these crypto key files whenever the password of the account that is running csutil is changed solved the problem as they get regenerated when you run csutil.


I hope this helps someone as it took a long time for us to figure this out.


Regards,


Brian


Actions

This Discussion