Skip navigation
All Places > iMFPs, Omegas, & Sentry > Blog

The Problem

A client was updating their Sentry Base software to accommodate some new SR-25 terminals that had a newer software revision on them. During the installation of Pharos Sentry Base, started by simply double-clicking the MSI file, the installer faulted with a '2878' error right after the wizard step where the Pharos Base listening port was defined.


The Investigation

Before going on-scene, the first effort was to figure out what that error number really meant. A quick search through Microsoft's MSDN site wasn't really helpful, but did give an indication of the problem:

"On the dialog [2] the control [3] has a possible value: [4]. This is an invalid or duplicate value."


Yup: remote session time! Once on the server, a second installation was attempted, using the MSIExec command line with verbose logging:

msiexec /i "PharosSystems-SentryBase-" /l*v c:\temp\install.log


The log file captured during the second installation attempt was a lot more helpful:

DEBUG: Error 2878:  On the dialog CertificateChooserDlg the control certListBox has a possible value: 8678653DF07BC6101C2977E98B2518052CD19BC6. This is an invalid or duplicate value. The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2878. The arguments are: CertificateChooserDlg, certListBox, 8678653DF07BC6101C2977E98B2518052CD19BC6


The Discovery

A ha! So in the wizard step that lets the certificate for Sentry SR-25 communications be selected, there was a duplicate value, 8678653DF07BC6101C2977E98B2518052CD19BC6, encountered! So what's 8678653DF07BC6101C2977E98B2518052CD19BC6? It's a certificate thumbprint. In other words, there's a duplicate certificate in the Windows certificate store. Thankfully, right above the error line in the log file was a listing of the certificates the installer found in the store:

Adding LOG_FOUND_CERTIFICATE_1 property. Its value is 'Found cert: (servername_SRH)('.

Adding LOG_FOUND_CERTIFICATE_2 property. Its value is 'Found cert: ('.

Adding LOG_FOUND_CERTIFICATE_3 property. Its value is 'Found cert: ('.

Adding LOG_FOUND_CERTIFICATE_4 property. Its value is 'Found cert: (servername.ent.tco.fin.corp)(servername.ent.tco.fin.corp)(7BD916158F908771B35EA0F53843744B20DDB15C)'.

Adding LOG_FOUND_CERTIFICATE_5 property. Its value is 'Found cert: ('.


The Resolution

All that was necessary to resolve the problem and finish the installation was to look at the certificates for "" in the Windows Certificate Manager (launch MMC.exe as an administrator, and add the Certificate Manager plug-in for the Local Computer, underneath Personal > Certificates) and keep the one that made the most sense. A quick trip to the Certificate Manager, a removal of the unwanted certificate, and the installation completed without a further hitch!


The Learning Lessons

Like all problems, this one came with a lot of learning lessons that are applicable in almost all scenarios:

  1. Double-clicking an MSI file in Windows Explorer to install something isn't the best choice. The theory of operations is that if Windows Installer (MSIExec) doesn't have enough credential under the current user to install that it shifts to the Windows Installer service (which runs as LocalSystem) to complete the installation, but in the land of Windows UAC and administrative sandboxes, that isn't always the case. For me, the default action is to engage an administrative command prompt session and run MSIExec interactively from the command line. For a good introduction to MSIExec, see Command-Line Options (Windows).
  2. The MSIExec error messages aren't always very helpful, but they can point you in the right direction.
  3. Logging in Windows Installer is awesome!! (yes, double exclamation marks) Not only did it tell me at what point the error occured, but there was enough information in the file to get me as close to fixing it as possible.
  4. Microsoft Windows lets you import the same certificate more than once, or the thumbprint isn't based on begin/end validity dates.