After going through the process of changing agent communication and IIS to use SSL / HTTPS, agents are unable to communicate with the Symantec Management Platform server.

• Symantec Management Agent (SMA) errors:

Description: InitializeSecurityContext error error -2146893019

Description: Failed to perform client handshake.  (80090325)

Description: Post to 'https://[SMP FQDN]/NS/Agent/GetClientPolicies.aspx' failed: HTTP Request Failed: A connect request was made on an already connected socket. (-2147014840)
 

• Windows System Event log errors:

Source:  Schannel
Event ID:  36882
Description:
The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.

This is due to an improperly installed SSL certificate on the client machine for Trusted Root Certificate Authorities. There were two Trusted Root Certificate Authority certificates which needed to be installed. Only the 2nd tier authority certificate was installed which was then displayed as the root, when there was an additional authority certificate which needed to be installed which was the true root authority. This invalidated the installed certificate thus preventing proper SSL communication.

If there are multiple Trusted Root Certificate Authority certificates which need to be installed, ensure that they are imported either via a single PKCS #7 file, or individual DER  encoded binary certificates in the proper order. When viewing the installed certificates, each should have a valid certification path.

Also, ensure the certificates are imported in association with the client's computer account and not a user account.