CEM agents unable to connect Gateway or Task Server - 403 forbidden

book

Article ID: 161565

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

CEM agents can't connect to the network through the gateway. No connection could be made because the target machine actively refused it. Getting 403.16 errors in IIS with Server 2012 R2

Client logs showed the following errors:

Operation 'Connect' failed.
Protocol: http
Host: SMP-W2K12-01.domain.com
Port: 443
Path: /
Http status: 0
Secure: Yes
Id: {87430CA0-3180-44F7-814A-783D62D44596}
Error type: Connection error
Error result: 0x8007274D
Error code: 0
Error note: SocketIOStrategySyncSelect::Connect error
Error message: No connection could be made because the target machine actively refused it
 

Operation 'Head' failed.
Protocol: http
Host: SMP-W2K12-01.domain.com
Port: 443
Path: /Altiris/NS/Agent/CreateResource.aspx
Http status: 403
Secure: Yes
Id: {A4047091-DF99-4D3D-8F6B-98F748FDC8B6}
Error type: HTTP error
Error result: 0x80042D21
Error code: 0
Error note: HTTP status: 403 Forbidden. Empty response content received, probably web server is not running or URL is invalid. In some cases Windows can return response header with Content-Length field but with empty response payload
Error message: Error 0x80042D21 (No description available)

Failed to send data to 'HTTPS://SMP-W2K12-01.domain.com:443/Altiris/NS/Agent/CreateResource.aspx?nsversion=1', error: HTTP status: 403 Forbidden. Empty response content received, probably web server is not running or URL is invalid. In some cases Windows can return response header with Content-Length field but with empty response payload (0x80042D21)

Configure Server Mode: Failed to receive server version from 'SMP-W2K12-01.domain.com '
 

Cause

Microsoft changed the default way that SSL works with server 2012. See the following articles for information on how Certificate are used in Windows 2012. 

http://technet.microsoft.com/en-us/library/hh831771.aspx

http://support.microsoft.com/kb/2802568

 

Environment

ITMS 7.5 SP1 and later

SMP or Task server running on Windows 2012 R2 server

Wildcard certificates, self-signed or internal CA.

Resolution

You can try setting the registry keys below to get Server 2012 to send the certificate trust list like it did in Server 2008. On the Notification Server or the Task Server, create the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Create: ClientAuthTrustMode = dword:2

Create: SendTrustedIssuerList = dword:1