This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Hello all, I am not sure if posting question in right place, but hope someone can help me with this as I didn't found any answer on web.
I am trying to update Exchange 2013 CU9 to CU 23. All prerequisites' are done and fine with that. But When I try to install I am getting this error in the step when coping files are started at 24% it gives this error:
Installing product E:\Exchange 2013-CU23\exchange server.msi failed. Fatal error during installation. Error code is 1603. Last error reported by the MSI package is 'The installer has insufficient privileges to access this directory: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497. The installation cannot continue. Log on as administrator or contact your system administrator.'
I am using Admin account with all the required access rights. Also I have checked that path shown above and find out there is no 15.0.1497 folder inside auth folder. There is folder 15.0.1104. Also after this all services are disabled and can't run even the CU9 that was working normal. So we are restoring vm from last backup.
Please if you can help me how to update 2013 CU9 to latest version we are planning to migrate to 2016 so need at least CU10.
Thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 92%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497
Rename the Frontend folder and run the setup file.
Tested its working as expected.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 98%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPB%3C/text%3E%3C/svg%3E)
Just a newbie question I assume you deleted the renamed folder after the successful update correct?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 64%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
i solve this problem find setup which exchange are installed mount it and when it ask exchangeserver.msi show that msi
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 88%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
CU23 is failing due to modified permissions on the Auth folder. I'm finding this on select 2013 Exchange Servers that have been compromised.
I was able to get the upgrade to run by changing the permissions on the Auth folder and it's contents. First I changed the owner from System to Domain Admin. Then I added permissions for the local and domain admin accounts. Once this was done I was able to successfully install CU23.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 35%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
So, permissions are set, but now I run the setup for CU 23 hit next on connect to the internet and check for updates and the wizard disappears like I dont have exchange installed. How were you able to successfully install the CU 23 after you changed the permissions?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 34%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
Same thing happened to me in one server. Don’t check for updates and it will start. There weren’t any updates available on other servers I have updated anyway.
That is EXACTLY what I needed, you are a blessing!! Thank you I was digging out the image of the server thinking it was going to be a long night.
Preferably you do not use the wizard, but the unattended install.
Ensure that you have updated the schema, AD, and domain(s) prior to installing a new CU.
When you upgrade the first Exchange Server to a new CU, and your admin account is a member of the Schema Admin and Enterprise Admin security groups, the CU might fail, because the FMSO roles are located in a different AD site.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 38%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Check your ISO file. You may be using a corrupted ISO file. Download a fresh copy if everything else fails.
I just encountered this as well on a compromised server. It looks like inheritance was disabled. I made myself the owner of the folder and then just re-enabled inheritance to allow CU23 install to complete.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 5%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBD%3C/text%3E%3C/svg%3E)
Just as a heads up,
This current security changes seem only to be affecting CAS Servers.
Our Mailbox Server didn't seem to have the same issues, however if it's a script instead of human that is doing this, our Exchange installation is on D: for the MBX server not C:
Just a thought on this whole mess.
Thanks,
Brad Dale
Hi @Mikayel Mikayelyan ,
Good day.
Since you're going to upgrade from CU9 to CU23, there is a huge gap of them.
You should install the .Net FrameWork .4.8 to support the CU23.
Also if you want to use the PowerShell to upgrade, you'll have to make your Schema/AD/AD domain prepared, If you use the Setup Wizard, you don't have to do this.
For this issue, you can give a full control permission of the folder to your account or add Everyone to the list and give it Full Control.
A related case that could help: Exchange 2019 CU8 Upgrade failed - insufficient privileges to access \owa\auth\15.2.792
Regards,
Zhengqi Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Mikayel Mikayelyan ,
Do the suggestions above help? If the issue has been resolved, please click “Accept as answer” to mark helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Regards,
Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Mikayel Mikayelyan ,
It has been a long time since last reply, did these suggestions help you? If the above suggestion helps, please click “Accept as answer” to mark helpful reply as an answer.Your action would be helpful to other users who encounter the same issue and read this thread.
Regards,
Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 28.000000000000004%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
I actually resolve the issue after correcting the permissions and mount the iso on the VM datastore NOT just mounting the iso from downloads.
Best,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 97%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
Yes after changing owner to Domain Admin and enabling inheritance everything installed correctly
I like this answer, but don't like this answer.
What should be the official Security permission on this directory?
I.E. what do I need to change it back to after the CU update, or will the CU update fix the permissions?
Thanks,
Brad Dale
Hi @Brad Dale LevcoTech ,
By default it's full control for System and Local Admins:
When you first trying to open this folder and press Continue, you will get the Full Control Permission for your account(The second user on the photo above).
No, I think it'll not automatically roll back after CU update, so you may have to manually remove Everyone from the list.
Giving your own account a full control permission may also work.
Regards,
Lou
So if I had permission set to SYSTEM readonly, only, before the patch.
Should I be worried that I have an incursion?
Thanks,
Brad Dale
Hi,
I think you don't have to worry about that, as I have checked other version Exchange servers, this folder(and the folders in it) is Read-only by default.
Also you can only give the full permission for those two folders if you don't want to that.
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth
Regards,
Lou
I am a bit concerned still.
As the Domain has receive multiple report of domains that we don't sent to.
Sorry I don't know these reports, do they have error messages or some information?
And please cover your personal information for a security consideration.
Regards,
Lou
They are Gmail DMARC reports.
From my point of view, they are emails w/o authentication.
Just saying that you might want to look @ mrshmc.com as a possible relay point for Exchange exploitations.
Thanks,
Brad Dale LevcoTech
Hi @Brad Dale LevcoTech ,
Are these reports came after you assigned the permission?
I think they are irrelevant with the Folder Permission...
And we grant the full control permission is to solve the update problem, because the Setup program couldn't access the folder.
If you want to ask another question, kindly suggest that if you don't mind, you could post a new thread and our engineers will help you there.
Thanks for your understanding.
Best regards,
Lou
I helped you removed the photos, because it contains your personal website/domain or other information.
Please remember to cover these important things when you're going to post them :)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 81%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
authenticated Users - Read & Ex
System - Full
Administrator(or Administrators) - Full
success!!