COM error: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331)
search cancel

COM error: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331)

book

Article ID: 172710

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

The customer has enabled/enforced TLS 1.2 for agent communication and disallows earlier TLS versions in their environment. FIPS is also enabled.
The Agent Communication Profile used for these new client machines (which usually is the default one) only has TLS 1.2 checked and TLS 1.0 and 1.1 are not enabled.

If TLS 1.2 is the only box checked in the communication profile and a new agent is installed. However, the newly installed agent is unable to register or communicate back
If they check the box for TLS 1.0 (and not necessarily 1.1), agent connection is restored.

When this server tries to connect to the SMP for configuration requests or send basic inventory, the following messages are displayed in the agent logs:

Request 'HTTPS://altirisapp01.yourdomain.edu:443/Altiris/NS/Agent/CreateResource.aspx' failed, COM error: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331)

 

On the event logs from the machine that is not connecting, you may see the following entry:

Log Name:      System
Source:        Schannel
Date:          10/04/2015 9:21:17 AM
Event ID:      36871
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:     
Description:
A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Request 'HTTPS://altirisapp01.yourdomain.edu:443/Altiris/NS/Agent/CreateResource.aspx' failed, COM error: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331)
-----------------------------------------------------------------------------------------------------
Date: 10/15/2018 10:23:30 AM, Tick Count: 1024968312 (11.20:42:48.3120000), Size: 448 B
Process: AeXNSAgent.exe (5504), Thread ID: 620, Module: AeXNSAgent.exe
Priority: 2, Source: ConfigServer
 


Configure Server Mode: Failed to obtain the machine resource GUID, error: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331)
-----------------------------------------------------------------------------------------------------
Date: 10/15/2018 10:23:30 AM, Tick Count: 1024968312 (11.20:42:48.3120000), Size: 408 B
Process: AeXNSAgent.exe (5504), Thread ID: 620, Module: AeXNSAgent.exe
Priority: 2, Source: ConfigServer
 


Failed to register agent. Registration status 'Not registered'. Next retry in 60 min.
-----------------------------------------------------------------------------------------------------
Date: 10/15/2018 10:23:30 AM, Tick Count: 1024968312 (11.20:42:48.3120000), Size: 311 B
Process: AeXNSAgent.exe (5504), Thread ID: 620, Module: AeXNSAgent.exe
Priority: 2, Source: Agent
 

Environment

ITMS 8.1, 8.5

Cause

Since the Symantec Management Platform (SMP) is set to use FIPS, under "https://social.technet.microsoft.com/Forums/ie/en-US/aaced205-b0ec-4874-b440-8075dd74d8df/a-fatal-error-occurred-while-creating-an-ssl-client-credential-the-internal-error-state-is-10013?forum=exchangesvradmin" is mentioned that there is setting needed to be enabled:
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.

Resolution

On the SMP:

  1. Check if "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" is enabled
  • Control Panel, click Administrative Tools, and then double-click Local Security Policy.
  • Local Security Settings, expand Local Policies, and then click Security Options.
  • Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and see if it is set to Enabled.

On the machine that is not connecting:

  1. If the SMP has "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing", then you need to enable it here as well.
  2. Restart machine