The customer noticed that after he installed the package service on his Symantec Management Platform (SMP) server only provides UNC or HTTP codebases, even when he has selected "Publish HTTPS codebase" (under Settings>All Settings>Notification Server>Site Server Settings>Package Service>Package Service Settings).
From the agent logs we can see that virtual directories are being created, this means all required IIS features are installed.
Windows Server 2012 R2
SMP 8.1 and later
IIS for some reason didn't bind to port 443 the assigned certificate even though IIS showed a certificate bound to it. The HTTPS codebases depend also on bindings in the IIS. If those are not OK, the HTTPS is not configured and not show up in the UI. The bindings do exist not only in IIS, they are also configured on Windows level (visible by “netsh http show sslcert” cmd command), and if some app is changing the windows binding, the IIS do not know anything about it and could show old values in the own UI. They have a complicated relationships. Also, if “Force” flag is not set in PS policy, it could happen that Agent (on the PS) will not (re)create/update the binding, if it decides that binding is not our own.
One thing to consider is that Package Service on the SMP is not really recommended since the SMP by nature is a package server already providing codebases to any client or package server that needs those packages
Check first the following KBs just in case you are not missing important IIS feature settings:
In this particular case, we had to do the following:
Open the bindings section on the Default Web Site (under IIS Manager>Server name>Sites>Default Web Site>on left pane click on Bindings)
Select the HTTPS type on port 443
Click the EDIT button. Change the SSL CERTIFICATE in the drop-down from the currently in use certificate to NOT SELECTED.
Then without clicking the OK button, change it back to use the previously selected SSL certificate.
Click the OK button to return to the Site Bindings window. Then click the CLOSE button. NOTE: you can also delete and create back the binding for port 443 instead of doing steps 3-5 above)
Once that was done, go to the Agent UI>Package Server tab>Refresh All Packages and now HTTPS codebases are generated.
If the suggestion above works but after rebooting the package server the error "Package Server could not access own Web Site using HTTPS" comes back, please try the following:
On the SMP Console, under Settings>Notification Server>Site Server Settings, find the affected Package Server under "Site Servers" and click on "Override the global settings by custom settings" for the "Certificates Rollout" section.
Make sure to:
Select "Install intranet certificate"
Use Port 443
Select "Force overwrite HTTPS binding"
Select "Use master certificate"
Unselect "Install CEM certificate" (since these were no CEM site servers)
After the package server gets the new configuration, restart the Altiris agent service. Check if the error is still present.
Subscribing will provide email updates when this Article is updated. Login is required.