When trying to convert internal existing clients to Cloud-enabled Management (CEM), the conversion fails even with CEM infrastructure in place. CEM communications work properly when installing new agents with an offline CEM package.
Existing clients communicate properly with the Notification Server (NS) using HTTPS and receive the CEM policy however when clients are restarted and try to convert themselves to be CEM enabled, errors are generated in the agent logs.
All certificates are set up correctly both on the server and the gateway but the
HKLM\Software\Altiris\Altiris Agent\Communications\ registry hive doesn't contain a certificate entry. Manually creating the entry does not help.
WARNING: Unexpected response from URL 'https://FQDN/Altiris/NS/Agent/GetClientCertificateMig.aspx': Unable to get the client certificate response XML associated with the specified request (Exception: The caller is unauthorized to request a new client certificate.)
C:\Windows\System32\inetsrv\config\applicationHost.config file on the Notification Server is missing records for GetClientCertificate.aspx and GetClientCertificateMig.aspx for the Default Web Site (either one or both may be missing).
<location path="Default Web Site/Altiris/NS/Agent/GetClientCertificateMig.aspx">
applicationHost.config file from a working NS (you could use one from your test environment if it is available or the example attached to this article), copy the full strings for the missing entries and add them manually into the applicationHost.config on your SMP. Look for the references to GetClientCertificate.aspx and GetClientCertificateMig.aspx and insert them into your applicationHost.config.
Some of the sections that you need to add may look like this: