When trying to enroll an iOS device to the Mobile Management site server, the agent enrollment fails with a generic Login failed "Authentication failure" message. The credentials are correct and valid for enrollment. Further investigation shows the https://mms.domain.com/MobileEnrollment/MobileConfig.aspx page shows an ASP.NET server error message:
Server Error in '/MobileEnrollment' Application.
The remote certificate is invalid according to the validation procedure.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[AuthenticationException: The remote certificate is invalid according to the validation procedure.]
System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception) +2339776
System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) +86
System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) +121
System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) +86
System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) +121
System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) +86
System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) +121
System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) +7267842
System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) +214
System.Threading.ExecutionContext.runTryCode(Object userData) +376
System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData) +0
System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) +98
System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result) +1131
System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size) +88
System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size) +20
System.Net.ConnectStream.WriteHeaders(Boolean async) +360
[WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.]
System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request) +857759
System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request) +10
System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) +243
MobileConfig.SSI.MobileManagementInformation.GetIOSMDMEnrollmentSettings(String mmsServerGuid) +77
MobileConfig._Default.Page_Load(Object sender, EventArgs e) +200
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +42
System.Web.UI.Control.OnLoad(EventArgs e) +132
System.Web.UI.Control.LoadRecursive() +66
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2428
Version Information: Microsoft .NET Framework Version:2.0.50727.5448; ASP.NET Version:2.0.50727.5456
Mobile Management is installed to a Symantec Management Platform server where the server's internal name does not match the IIS SSL Certificate used for the server. Some communication works (although internally, trust warnings can be found), but the communication between the Mobile Management Site Services and the Management Platform server fail, as the Symantec Management Agent does not use the SSL Certificate's name.
The IIS SSL certificate used for the Symantec Management Platform server should match the server's name. To see what name is currently being used, access the registry on the MMS site server at: HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\Servers, in the subkey for the specific server name. The "Web" setting is the field used by Mobile Management for MMS to NS communication.
To change this setting globally, in the Symantec Management Platform console, go to Settings > Agents/Plug-ins > Targeted Agent Settings. On the group for the Site Server, go to the "Advanced" tab and change the Server Name and Server Web to the name that matches the SSL certificate name.