Symantec Management Agent can't connect to the Notification Server (NS) after it's installed using a Cloud-enabled Management (CEM) package. 

The agent shows the following error:

Unable to get the client certificate associated with the specified request.

Logs show:

<![CDATA[WARNING: Unexpected response from URL 'https://YourServername.com:443/Altiris/NS/Agent/GetClientCertificateMig.aspx?Encrypted=1': Unable to get the client certificate associated with the specified request (Exception: Object reference not set to an instance of an object.)]]>
</event>
<event date='11/26/2014 14:28:54.8280000 -05:00' severity='1' hostName='ComputerName' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='10028' thread='9692' tickCount='21690488' >
<![CDATA[Attempted CEM nsagent certificate negotiation failed.]]>
</event>
<event date='11/26/2014 14:28:54.8280000 -05:00' severity='2' hostName='ComputerName' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='10028' thread='9692' tickCount='21690488' >
<![CDATA[Configure Server Mode: CEM mode was not initialized succesfully, will retry]]>
</event>

ITMS 8.1, 8.5, 8.6

The NS uses default port 4726 bound to the Symantec Agent web site.  However, when setting up and adding the NS to the gateway it is possible to assign a different port, this will cause issues connecting to the NS. The default port for the NS on the gateway is port 4726 and port 443 or 4726 for site servers depending on version. 

Delete the Notification Server from the list of servers in the gateway and re-add it using port 4726.