When trying to enroll an iOS device to the Mobile Management site server, the agent enrollment fails with a generic Login failed "Authentication failure" message. The credentials are correct and valid for enrollment. Further investigation shows the https://mms.domain.com/MobileEnrollment/MobileConfig.aspx page shows an ASP.NET server error message:
Server Error in '/MobileEnrollment' Application.
The remote certificate is invalid according to the validation procedure.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
[WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.]
System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request) +857759
System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request) +10
System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object parameters) +243
MobileConfig.SSI.MobileManagementInformation.GetIOSMDMEnrollmentSettings(String mmsServerGuid) +77
MobileConfig._Default.Page_Load(Object sender, EventArgs e) +200
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +42
System.Web.UI.Control.OnLoad(EventArgs e) +132
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2428
Version Information: Microsoft .NET Framework Version:2.0.50727.5448; ASP.NET Version:2.0.50727.5456
Mobile Management is installed to a Symantec Management Platform server where the server's internal name does not match the IIS SSL Certificate used for the server. Some communication works (although internally, trust warnings can be found), but the communication between the Mobile Management Site Services and the Management Platform server fail, as the Symantec Management Agent does not use the SSL Certificate's name.
The IIS SSL certificate used for the Symantec Management Platform server should match the server's name. To see what name is currently being used, access the registry on the MMS site server at: HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\Servers, in the subkey for the specific server name. The "Web" setting is the field used by Mobile Management for MMS to NS communication.
To change this setting globally, in the Symantec Management Platform console, go to Settings > Agents/Plug-ins > Targeted Agent Settings. On the group for the Site Server, go to the "Advanced" tab and change the Server Name and Server Web to the name that matches the SSL certificate name.
Imported Document ID: TECH188822
Subscribing will provide email updates when this Article is updated. Login is required.