I upgraded the ACS from 4.0 to 4.1 and suddenly the scripts that I use for management stopped working.
I could solve all the issues except for 1:
D:\>net stop csauth
The CSAuth servce is stopping.
The CSAuth servce was stopped successfully.
Can not initialize SchemeLayer
What is that error?
What can I do to solve it?
It doesn?t come up at Cisco.com
Please log in as a Local Administrator on that system where ACS is installed.
Then execute the CSutil.
this happens if account with which you are logged in doesn't have sufficient privileges.
As you have mentioned that you upgraded the server version from 4.0 to 4.1, if you made services to start with some specific account, after upgrade we need to re-do that.
Also, it could also be due to application of some windows patches that you might have applied.
But in most cases logging as Administrator on that system and running CSUtil wont give you this issue.
Do that and share the result.
Then this is what I would suggest you.
From ACS GUI, System Configuration > ACS Backup > Backup Now. ( 2 or 3 backups)
Make sure that you are able to get the backups from GUI.
Place these backups in a safe location, probably some other drive.
- Uninstall the current ACS version. (Would suggest to run "Clean.exe", that under
- Completely log off from the system
- Log back in, using Local Administrative rights
- Install the same ACS version and restore the backup from ACS GUI,
System Configuration > ACS Restore > Select both components > Restore.
Try this and let me know.
I uninstalled with the clean.exe, but when I tried to installed again it send this errors:
Error at V:\ismg_israel_acs\Acs\Cryto\init.cpp line 195, CryptAcquireContext Failed (System Error 0x8009000f)
Error at V:\ismg_israel_acs\Acs\Cryto\init.cpp line 94, crypto Initialise CryptoAPI failed
Could not open Crypto container
As we are getting error during installation "Error at V:\ismg_israel_acs\Acs\Crypto\init.cpp" please try this,
You need to locate the old CryptoAPI container used by ACS which may still be on the system. This is normally located in
C:\Documents and Settings\
There will be one or more files there will very long hexdecimal file names. You need to identify the right one.
Open a Command Prompt in that folder and type
"findstr /I CiscoSecure *.*" - the filename that appears should be the old ACS container.
Delete that file.
If that doesn't resolve the issue, then unfortunately we may need to re-image the system, that has helped to resolve this issue.
In actuality this is the solution to the csutil issue without doing the installation.
I found if you change the local admin account password that attempts to run the csutil command, it would stop working as indicated. Cisco's solution is to either reinstall ACS as stated above, or run csutil as the domain admin account. The domain admin account is very protected within a large enterprise, and is not an option; reinstalling ACS every 90 days when the passwords are required to change is not an option either.
I found that removing these crypto key files whenever the password of the account that is running csutil is changed solved the problem as they get regenerated when you run csutil.
I hope this helps someone as it took a long time for us to figure this out.