WIX Installation fails to Install Certificate to Root Certification Authorities for Some machines

We have created a WIX installation MSI that installs certificates to machine store. It installs a root certificate (GoDaddy Class 2 Certification Authority) to the Trusted Root Certification Authorities. It works for most of machines, but it fails some machines. We suspected the group policy restrictions( http://technet.microsoft.com/en-us/library/cc754841.aspx), but the change did not resolve the problem. Below is a WIX definition and a portion of the log file that shows where the error occurs.

<DirectoryRef Id="ApplicationDirectory">

  <Component Id="G.Root.Cert" Guid="{C6672075-1BFB-4158-86B4-8DD6D26BBC12}">
    <CreateFolder />


    <iis:Certificate Id="GoDaddy.Class2.Certificate"
             Name="GoDaddy Class 2 Certificate"
             Request="no"
             StoreLocation="localMachine"
             StoreName="root"
             Overwrite="no"
             BinaryKey="GoDaddy.Class2.Binary"
                     />

  </Component>

MSI (s) (B4:08) [11:58:21:952]: Executing op: CustomActionSchedule(Action=RollbackAddMachineCertificate,ActionType=11521,Source=BinaryData,Target=**********,CustomActionData=**********) MSI (s) (B4:08) [11:58:21:953]: Executing op: ActionStart(Name=AddMachineCertificate,,) Action 11:58:21: AddMachineCertificate. MSI (s) (B4:08) [11:58:21:953]: Executing op: CustomActionSchedule(Action=AddMachineCertificate,ActionType=11265,Source=BinaryData,Target=**********,CustomActionData=**********) MSI (s) (B4:40) [11:58:21:980]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI3EE3.tmp, Entrypoint: AddMachineCertificate MSI (s) (B4:D0) [11:58:21:981]: Generating random cookie. MSI (s) (B4:D0) [11:58:21:982]: Created Custom Action Server with PID 9920 (0x26C0). MSI (s) (B4:90) [11:58:22:042]: Running as a service. MSI (s) (B4:90) [11:58:22:043]: Hello, I'm your 32bit Elevated custom action server. AddMachineCertificate: Deleting certificate that begin with friendly name: GoDaddy Class 2 Certificate_wixCert_ AddMachineCertificate: Adding certificate: GoDaddy Class 2 Certificate_wixCert_1 AddMachineCertificate: Error 0x80070005: Failed to add certificate to the store. MSI (s) (B4!0C) [11:58:22:173]: Note: 1: 2205 2: 3: Error MSI (s) (B4!0C) [11:58:22:173]: Note: 1: 2228 2: 3: Error 4: SELECT Message FROM Error WHERE Error = 26352 The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 26352. The arguments are: -2147024891, , MSI (s) (B4!0C) [11:58:27:816]: Note: 1: 2205 2: 3: Error MSI (s) (B4!0C) [11:58:27:816]: Note: 1: 2228 2: 3: Error 4: SELECT Message FROM Error WHERE Error = 1709 MSI (s) (B4!0C) [11:58:27:816]: Product: Netsmart VR BA Prerequisites -- The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 26352. The arguments are: -2147024891, ,

AddMachineCertificate: Error 0x80070005: Failed to install certificate. AddMachineCertificate: Error 0x80070005: Failed to install per-machine certificate. CustomAction AddMachineCertificate returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) Action ended 11:58:27: InstallFinalize. Return value 3. MSI (s) (B4:08) [11:58:27:961]: User policy value 'DisableRollback' is 0 MSI (s) (B4:08) [11:58:27:962]: Machine policy value 'DisableRollback' is 0 MSI (s) (B4:08) [11:58:27:972]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1163681610,LangId=1033,Platform=0,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)

We are puzzled as to what causes this problem. If you have any idea as to what causes this problem, it would be greatly appreciated.

Thanks.

We ran into the same problem, and sometimes it was because the user had the key already in the personal store. WiX doesn't seem to be smart enough to overwrite the key from other stores of a "higher" level (or overwrite at all -- not sure if it is a bug or not).

I would check to see if that certificate was already installed at the user level.