Moved to 1.1.1.1 and resolved issue
I’ve been using 1.1.1.1 more and more lately. I’ve seen MS 365 services resolving to higher (250ms) IP addresses when using 8.8.8.8. This causes slow and freezing issues in Outlook on RDS or other setups using non-cached mode.
Having this problem today. First install at this site and its on a file/print/AD/DNS server. Removed the forwarder to 1.0.0.1, /flushdns and still nothing. Changing DNS forwarders and flushing isn’t making a difference.
So, the problem still exists with both MSI and EXE installers.
%g
My issue was related to TLS. Windows Server 2016. TLS 1.0 and 1.1 protocols were already disabled, and TLS 1.2 was enabled. But weaker cipher suites were enabled. That seems to be enough to block Syncro communication. Once I disabled weaker cipher suites and rebooted, then installer worked. I used IIS Crypto to manage TLS.
Original settings
Modified cipher suites. I used Strict template, but can also manually disable.
I’m not sure which of the weaker cipher suites was affecting the Syncro communication. If curious, try disabling weak cipher one at a time, then reboot.
Also If you have legacy/old software versions, that require TLS 1.0, 1.1, or weaker ciphers, this will break that.
Ours was also related to IIS Crypto, but an overly agressive config. Server 2012 R2 AD, File, DNS, Print.
The logs at C:\ProgramData\syncro\logs\syncro.installerxxx.log pointed to the TLS connection:
2024-02-09 18:10:59.349 -05:00 [INF] v1.0.180 Starting KabutoInstaller v 1.0.180, args: ‘–msi --key 7a***wA --customerid 01282760 --policyid 0 --folderid 03490612’
2024-02-09 18:10:59.349 -05:00 [DBG] v1.0.180 ============================
2024-02-09 18:10:59.493 -05:00 [DBG] v1.0.180 Command args has been successfully parsed
2024-02-09 18:10:59.526 -05:00 [WRN] v1.0.180 Required X.509 certificate (subject: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB, s/n: 4CAAF9CADB636FE01FF74ED85B03869D, thumbprint: AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4) is missing. SSL/TLS issues may occur.
2024-02-09 18:10:59.627 -05:00 [DBG] v1.0.180 Sending GET request to rmm.syncromsp.com:443/device_api/auth/, with null…
2024-02-09 18:10:59.712 -05:00 [ERR] v1.0.180 Installer: Exception while sending auth call
Over and above IIS Crypto “Best Practices” TLS 1.1, 1.2 were off for server and client as well as Trip Des 168 under Ciphers. Turned all that back on, rebooted and the install competed. Put the IIS crypto settings back and rebooted again, the server appeared offline, reboot after reboot. while I tried to figure out which settings was the one.
Finally, the working combination was Best Practices+ TLS 1.0, 1.1 off, Trip Des off, RC4_128 on and the MD5 and SHA RC4_128 cipher suites enabled. Server appears online. Interesting was that altough the server didn’t appear online during all the tests and reboots, backgrounding tools worked.
greg10’s settings worked for me.
Wow, a special thanks to dbove!!! We had a Windows 2016 server that we could not install the Syncro agent on. And Syncro Support really can’t help once it gets into “Cipher world”. Without this post from dbove we would never have figured this out (it took 6 months to get here)!!!
I had the exact same issue with a Windows 2016 Server. I tried all of the described fixes above to no avail. The Syncro install logfiles pointed to the error: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. With the help of Syncro Support, I was able to finally fix it. I had to install the ISRG Root X1 root certificate to replace the expired DST Root CA X3 root certificate. It had to be installed for the Local Machine as it would not work if installed for Current User.
Just had the problem. Justin2’s post made me think about date and time. Our problem was the computer did not have the right date and time. After correcting the issue, it installed just fine.
1 Like
Follow these steps
- Check if your server has the certificate authority installed Ensure that your server has the certificate authority imported. Currently, Let’s Encrypt uses the “ISRG Root X1” certificate, which can be downloaded from Let’s Encrypt’s official website.
- First install all pending Windows Updates and Restart Server.
- Go to SSLLabs SSL Server Test (Powered by Qualys SSL Labs) URL
- Enter the url of the site/api you are having problem to connect, wait a while until the test is completed. URL: rmm.syncromsp.com
- Go to ‘Cipher Suites’ section and read very carefully TLS 1.3 / TLS 1.2. There you will find the Cipher Suites accepted by the server.
- Download IISCrypto GUI tool from Nartac Software - Download
- Enable TLS 1.2, if it is disabled. (using IISCrypto GUI Tool)
- Enable additional/missing cipher suites you found in point No. 5 (using IISCrypto GUI Tool).
- Restart Server.
