The following errors will be seen in the Altiris agent logs when trying to access a valid path on the Notification Server:

Date: Feb 14 09:07:15:004
Source: SecureSocket
Description: Name on certificate does not match the name of the site (Error:-2146893022)

Date: Feb 14 09:07:15:005
Source: SecureSocket
Description: Security context handle is invalid (-2146893055)

Date: Feb 14 09:07:15:006
Source: AeXNetworkTransport
Description: Get 'https://Domain.com/Altiris/NS/Agent/GetPackageSnapshot.asp?PackageId={59B5B2FD-91F3-426A-869A-829A1EAC2FD2}&compress=1' failed: HTTP Request Failed: The target principal name is incorrect. (-2146893022)

Date: Feb 14 09:07:15:007
Source: CoNetworkTransport(116)
Description: HTTP Request Failed: The target principal name is incorrect. (-2146893022)

There can be different causes to this, but here are a couple of examples of the other errors that may be seen with this:

Date: Feb 14 09:07:15:008
Source: PackageDownload
Description: Download Snapshot failed: HTTP Request Failed: The target principal name is incorrect. (-2146893022)

Ignoring request to change server.

ITMS 8.x
Client communication
SSL
HTTPS

When using HTTPS, a server authentication certificate is required.  The certificate will have the name of the Notification Server. The Notification Server will have one real FQDN, and may have additional DNS aliases.

After an IIS server is configured to use SSL, all HTTPS communication with that website must use the exact name defined in the certificate. When the certificate name and the server's DNS name are different (from the agent's perspective) then invalid download location will be returned to the clients.

If the certificate was generated using a name that is different than that of the server.  The co debases for the Notification Server will be incorrect.

The following steps need to be done to allow the agents to communicate effectively.

1. Create a DNS alias for the common name on the certificate, pointing it to the correct server name of the Notification Server.

2. The coresettings.config file must be appropriately modified to match the alias being used to resolve the name of the Notification Server.

Put the following in the Coresettings.config file (C:\Program Files\Altiris\Notification Server\Config)

<customSetting key="PreferredNSHost" type="local" value="dnsalias.company.com" /> 

 

Note: This does require maintaining the DNS alias.  If possible it is always better to have the name on the certificate exactly match the name of the server.  This eliminates the need make modifications that may be forgotten about, overwritten etc.