Package Server is configured to publish HTTP(s) codebases, but could not access it's own Web site
Article ID: 173288
Updated On:
Products
Issue/Introduction
The customer has a package server (a Windows Server 2016) that is giving "Package Server is configured to publish HTTP(s) codebases, but could not access its own Web site" in the Agent UI.
The agent logs showed the following error entry:
Package Server could not access own Web Site using HTTPS, although it is configured to serve it. The HTTPS requests from clients cannot be served. See logs for detailed failure reason. (health state: 0x00001321).
or
Could not access own HTTPS Web site 'https://SSmachine.domain.com:443/Altiris/PS/ConnectionTest.html', HTTPS requests from clients can fail, error: An existing connection was forcibly closed by the remote host (0x80072746)
When we look under the Package Server tab, we can see that it is able to publish UNC, HTTP and HTTPS codebases. Agent machines assigned to get packages from this Package Server are able to get the files while using the HTTPS link.
Error from Agent log:
Package Server could not access own Web Site using HTTPS, although it is configured to serve it. The HTTPS requests from clients cannot be served. See logs for detailed failure reason. (health state: 0x00001321).
------------------------------
Date: 1/4/2019 12:08:22 PM, Tick Count: 73882093 (20:31:22.0930000), Size: 461 B
Process: AeXNSAgent.exe (7896), Thread ID: 7212, Module: AeXNSCPackageServer.dll
Priority: 1, Source: Package Server Agent
OR
Could not access own HTTPS Web site 'https://SSmachine.domain.com:443/Altiris/PS/ConnectionTest.html', HTTPS requests from clients can fail, error: An existing connection was forcibly closed by the remote host (0x80072746)
------------------------------
Date: 1/4/2019 12:08:22 PM, Tick Count: 73882093 (20:31:22.0930000), Size: 461 B
Process: AeXNSAgent.exe (7896), Thread ID: 7212, Module: AeXNSCPackageServer.dll
Priority: 1, Source: Package Server Agent
Error from System Event Log:
Log Name: System
Source: Schannel
Date: 1/4/2019 12:11:42 PM
Event ID: 36871
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: SiteServer02.domain.com
Description:
A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
<EventID>36871</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-04T17:11:42.000048700Z" />
<EventRecordID>200712</EventRecordID>
<Correlation ActivityID="{1412B7BE-A3A4-0000-D2B8-1214A4A3D401}" />
<Execution ProcessID="644" ThreadID="4064" />
<Channel>System</Channel>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Type">client</Data>
<Data Name="ErrorState">10013</Data>
</EventData>
</Event>
Environment
ITMS 8.1 RU7 and later
Windows Server 2012, 2016
Cause
The Agent Communication Profile for this Site Server was not properly configured. It was missing the proper certificate (no one was assigned to it) and TLS was not set for the right version (it had TLS 1.0 selected when TLS 1.2 was the actual version in use).
Make sure that the Site Server and the Site Server Communication Profile are using the same TLS versions.
Resolution
We will share below the troubleshooting steps that allowed us to resolve this issue as a way to teach what we had to look at to narrow down the root cause.
We discovered the following issues:
- The agent was not aware of the desired certificate. Even though the certificate was added to IIS under port 443 binding, it was not present under the "Trusted Root Certification Authorities" and "Client Authentication Issuers" stores.
We discovered that the Site Server communication profile for this Site Server didn't have the certificate added to it:- Under the SMP Console, go to Settings>Notification Server> Site Server Settings.
- Go under Site Servers, select the affected site server, and under Communication Profile, click on the link for the Site Server name.
- Then click on Edit for "SSL certificates are defined for current profile" and add the proper certificate for this site server. Save changes
- Go back to the package server and update the configuration.
After the certificate was added to the agent communication profile for this site server, the agent had the certificate in the right places in the certificate stores. However, the error persisted.
- We looked at the Windows Event logs and under System Events, the following entry was present when the agent error happened:
Log Name: System
Source: Schannel
Date: 1/4/2019 12:11:42 PM
Event ID: 36871
...
Description:
A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
Based on "A fatal error occurred while creating a TLS client credential. The internal error state is 10013" entry we realized that this customer may be using TLS 1.2 as his default version for this Site Server but it may not be configured properly. We checked again the Site Server communication profile for this site server (same location under Step 1 above) and it had only TLS 1.0 selected. We checked the other versions as well (1.1 and 1.2) and saved the change.
Then we updated the agent configuration and the issue with "Package Server could not access own Web Site using HTTPS" stopped and it was able to access its own website.
Note: since we changed the TLS versions allowed for this site server in the agent communication profile, we restarted the Altiris Client Task Data Loader and Altiris Object Host Service services on the Site Server just to make sure Task Client-Server continued working and refreshed its connections. We suggested to the customer that if he sees other TLS/SChannel issues on that site server to add the registry keys suggested under TECH248555 "Enabling TLS 1.2 for the ITMS Management Platform Environment"
Feedback
