When trying to convert internal existing clients to Cloud-enabled Management (CEM), the conversion fails even with CEM infrastructure in place. CEM communications work properly when installing new agents with an offline CEM package.

Existing clients communicate properly with the Notification Server (NS) using HTTPS and receive the CEM policy however when clients are restarted and try to convert themselves to be CEM enabled, errors are generated in the agent logs.

All certificates are set up correctly both on the server and the gateway but the HKLM\Software\Altiris\Altiris Agent\Communications\ registry hive doesn't contain a certificate entry. Manually creating the entry does not help.

WARNING: Unexpected response from URL 'https://FQDN/Altiris/NS/Agent/GetClientCertificateMig.aspx': Unable to get the client certificate response XML associated with the specified request (Exception: The caller is unauthorized to request a new client certificate.)

ITMS 8.x

The C:\Windows\System32\inetsrv\config\applicationHost.config file on the Notification Server is missing records for GetClientCertificate.aspx and GetClientCertificateMig.aspx for the Default Web Site (either one or both may be missing).

• <key path="LM/W3SVC/1/ROOT/Altiris/NS/Agent/GetClientCertificateMig.aspx">
• <location path="Default Web Site/Altiris/NS/Agent/GetClientCertificateMig.aspx">

Open the applicationHost.config file from a working NS (you could use one from your test environment if it is available or the example attached to this article), copy the full strings for the missing entries and add them manually into the applicationHost.config on your SMP. Look for the references to GetClientCertificate.aspx and GetClientCertificateMig.aspx and insert them into your applicationHost.config.

Some of the sections that you need to add may look like this:

<location path="Default Web Site/Altiris/NS/Agent/GetClientCertificate.aspx">
<system.webServer><handlers accessPolicy="Read, Script"/>
<security><access sslFlags="Ssl, SslNegotiateCert, SslRequireCert"/>
<authentication><windowsAuthentication enabled="true"/>
<clientCertificateMappingAuthentication enabled="false"/>
<anonymousAuthentication enabled="true"/>
<iisClientCertificateMappingAuthentication enabled="false"/>
<digestAuthentication enabled="false"/>
<basicAuthentication enabled="false"/>
</authentication></security></system.webServer></location>

Restart IIS on the NS, then restart the SMA service on effected clients. Clients should now be able to convert to CEM and get certificates properly.

Additional information

If the behavior persists, another potential cause is TECH216365.