ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Symantec Management Agent, on the Notification Server, fails to connect to itself over https

book

Article ID: 161211

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

The Symantec Management Agent, on the Notification Server, fails to connect to itself over https while using an alias name for the server and the agent logs show 403 errors.

Was found that you can access the console using IE on the Notification Server over https with the alias name without getting the 403 errors, so the SSL certificate is not causing the issue. Also client machines can access the console and their agent can communicate over https using the alias as well.

The issue was only happening with the agent on the NS.

 

NS Agent Logs:

[1] 9/24/2014 9:27:58 AM (AeXNSAgent.exe) NetworkOperation

Operation 'Get' failed. 

Protocol: http

Path: /Altiris/NS/Agent/GetPackageInfo.aspx 

Http status: 403 

Secure: Yes 

Id: {705052EE-2E8E-452F-98DA-6898ACCAC671} 

Error type: HTTP error 

Error result: 0x80042D21 

Error code: 0  

Error note: HTTP status: 403 Forbidden. Empty response content received, probably web server is not running or URL is invalid. In some cases Windows can return response header with Content-Length field but with empty response payload 

Error message: Error 0x80042D21 (No description available)
 
 
[1] 9/24/2014 9:27:58 AM (AeXNSAgent.exe) PackageDownload
Download package sources failed: HTTP status: 403 Forbidden. Empty response content received, probably web server is not running or URL is invalid. In some cases Windows can return response header with Content-Length field but with empty response payload (0x80042D21)
 
[1] 9/24/2014 9:27:58 AM (AeXNSAgent.exe) PackageDelivery
Error while downloading package: HTTP status: 403 Forbidden. Empty response content received, probably web server is not running or URL is invalid. In some cases Windows can return response header with Content-Length field but with empty response payload (0x80042D21)
 
 
IIS Logs on the NS:
 
2014-09-24 18:37:35 W3SVC1 SRV-VA-DPLY01 10.10.25.86 HEAD /altiris/NS/Agent/GetClientPolicies.aspx - 443 - 10.10.25.86 HTTP/1.1 - - - smc.domain.com 403 16 2148204809 282 106 46
2014-09-24 18:37:35 W3SVC1 SRV-VA-DPLY01 10.10.25.86 HEAD /altiris/NS/Agent/ConnectionTest.asp - 443 - 10.10.25.86 HTTP/1.1 - - - smc.domain.com 403 16 2148204809 282 102 46
2014-09-24 18:37:37 W3SVC1 SRV-VA-DPLY01 10.10.25.86 HEAD /altiris/NS/Agent/PostEvent.asp encrypted=1&priority=1&source=B3061900-1A66-4E24-BBC0-5B2A31AEE632 443 - 10.10.25.86 HTTP/1.1 - - - smc.domain.com 403 16 2148204809 282 164 46
2014-09-24 18:37:37 W3SVC1 SRV-VA-DPLY01 10.10.25.86 HEAD /altiris/NS/Agent/ConnectionTest.asp - 443 - 10.10.25.86 HTTP/1.1 - - - smc.domain.com 403 16 2148204809 282 102 46
 

Cause

 The issue had to do with IIS blocking the agent because of the settings for client certificates.

 

Environment

7.5 SP1 HF2 and later

Resolution

While in the IIS Manager on the Notification Server we found that under 'Default Web Site --> Altiris --> SSL Settings' it was set to "Accept" for client certificates. We changed this to "Ignore" and then the NS agent was able to connect to itself using https and the alias name.

See "Internet Information Services (IIS) 8 may reject client certificate requests with HTTP 403.7 or 403.16 errors" which shows the exact errors we were getting in the IIS Logs