Site Server (running Task service) is failing to register with the SMP after switching to SSL. The Symantec Management Agent (Altiris Agent) connects via SSL with no issue.
Open http communications to SMP and Task Services at task server registers without issue. Switch back to require SSL reset agent and Task Server fails to register.
Error in the Site Server agent logs indicate the client has insufficient privileges to register:
Failed to perform re-register.
Forbidden
So far the agent logs show the following when the task server tries to register:
Entry 1: Checking "http://Altiristest01.example.net/Altiris/TaskManagement/ClientTask/Authenticate.aspx" with credentials domain: "domain" username: "adminaltiris" ----------------------------------------------------------------------------------------------------- Date: 10/15/2017 3:44:13 AM, Tick Count: 225769093 (2.14:42:49.0930000), Size: 473 B Process: AtrsHost.exe (7356), Thread ID: 8368, Module: AtrsHost.exe Priority: 4, Source: Altiris.ClientTask.Server.Communication.NotificationServerWebConnection.CheckCredentials Entry 2: NotificationServerWebConnection.PostToNotificationServer() The remote server returned an error: (403) Forbidden. [System.Net.WebException @ System] at System.Net.HttpWebRequest.GetResponse() at Altiris.DotNetLib.Helpers.AtrsHttpOps.Execute[T](Func`2 action, String url, ICredentials credentials, Boolean isPost, Int32 timeout) at Altiris.ClientTask.Server.Communication.NotificationServerWebConnection.PostToNotificationServer(String url, ICredentials nsCredentials, NSWebConnectionBuildRequestStreamDelegate requestStreamDelegate, Int32 nMaxAttempts, Int32 nTimeout) Exception logged from: at Altiris.DotNetLib.Logging.AtrsLog.ExceptionMessage(String message, Exception exception) at Altiris.ClientTask.Server.Logging.NSAgentLog.ReportMessage(Severity severity, String moduleName, String source, Exception exception, String message, Object[] arguments) at Altiris.ClientTask.Server.Communication.NotificationServerWebConnection.PostToNotificationServer(String url, ICredentials nsCredentials, NSWebConnectionBuildRequestStreamDelegate requestStreamDelegate, Int32 nMaxAttempts, Int32 nTimeout) at Altiris.ClientTask.Server.Communication.NotificationServerWebConnection.CheckCredentials(String clientTaskUrl, NetworkCredential credentials) at Altiris.ClientTask.Server.Communication.NotificationServerWebConnection.ValidateCredentials(String clientTaskUrl, NetworkCredential credentials) at Altiris.ClientTask.Server.ClientTaskServer.RegisterTaskServer(Version taskServerVersion) at Altiris.ClientTask.Server.ClientTaskServer.ReRegister(Version taskServerVersion) at Altiris.ClientTask.Server.ClientTaskServer.ProcessRegistrationThreadProc() at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.ThreadHelper.ThreadStart() ----------------------------------------------------------------------------------------------------- Date: 10/15/2017 3:44:13 AM, Tick Count: 225769093 (2.14:42:49.0930000), Size: 2.42 KB Process: AtrsHost.exe (7356), Thread ID: 8368, Module: AtrsHost.exe Priority: 1, Source: Altiris.ClientTask.Server.Communication.NotificationServerWebConnection.PostToNotificationServer Entry 3: Failed to perform re-register. Forbidden [System.Web.HttpException @ Altiris.ClientTask.Server] at Altiris.ClientTask.Server.Communication.NotificationServerWebConnection.ValidateCredentials(String clientTaskUrl, NetworkCredential credentials) at Altiris.ClientTask.Server.ClientTaskServer.RegisterTaskServer(Version taskServerVersion) at Altiris.ClientTask.Server.ClientTaskServer.ReRegister(Version taskServerVersion) Exception logged from: at Altiris.DotNetLib.Logging.AtrsLog.ExceptionMessage(String message, Exception exception) at Altiris.ClientTask.Server.Logging.NSAgentLog.ReportMessage(Severity severity, String moduleName, String source, Exception exception, String message, Object[] arguments) at Altiris.ClientTask.Server.ClientTaskServer.ReRegister(Version taskServerVersion) at Altiris.ClientTask.Server.ClientTaskServer.ProcessRegistrationThreadProc() at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.ThreadHelper.ThreadStart() ----------------------------------------------------------------------------------------------------- Date: 10/15/2017 3:44:13 AM, Tick Count: 225769109 (2.14:42:49.1090000), Size: 1.61 KB Process: AtrsHost.exe (7356), Thread ID: 8368, Module: AtrsHost.exe Priority: 1, Source: Altiris.ClientTask.Server.ClientTaskServer.ReRegister |
ITMS 7.6, 8.0, 8.1
Site Servers running on Windows Server 2012 and Windows 10
Microsoft changed the default way that SSL works with Windows Server 2012 (and Windows 10 as well). See the following articles for information on how Certificate are used in Windows Server 2012.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Create: ClientAuthTrustMode = dword:2
Create: SendTrustedIssuerList = dword:1
Now the task server agent should be able to connect and register.