ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Error while enrolling clients, InternetGateWay and SiteServers

book

Article ID: 162053

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Clients, Internet GateWay and SiteServers fail to enroll to SMP.
 

"6/3/2015 11:38:43 AM","Unable to get the server certificate response XML associated with the specified request (Exception: System.ArgumentNullException: Value cannot be null.
Parameter name: certificate
   at Altiris.NS.Security.Cryptography.CertificateManager.GetCertificateAsPEM(X509Certificate2 certificate)
   at Altiris.Web.NS.Agent.GetServerCertificate.GetServerCertificateXml())
**CEDUrlStart** :http://entced.symantec.com/entt?product=SMP&version=7.6.1383.0&language=en&module=jEOt10kGEE7SPU/YdqchkDEaaPxk41aqY+1MgKQyjzKuYEtz/sp6FXsAvE8WC2Uf&error=1173783352&build=**CEDUrlEnd**","Altiris.Web.NS.Agent.GetServerCertificate.GetServerCertificateXml","w3wp.exe","316","Errors"

"6/3/2015 11:19:06 AM","Unable to get the client certificate associated with the specified request (Request: <resource typeGuid=""{493435F7-3B17-4C4C-B07F-C23E7AB7781F}"" name=""sing-fs01"">
<key name=""fqdn"" value=""siteserver.domain.com""/>
<key name=""name.domain"" value=""siteserver.domain""/>
<key name=""uniqueid"" value=""cv3rP3GSErc9unSydp53fw==""/>
<key name=""uniqueid"" value=""irkcecJk/V/dZMpQeAFrng==""/>
<regRequest publicKey=""AAAAAQABu0W2Yv9fdbghf3GIBwaYTscw......h6E7Ahhevw=="" certificateType=""siteserver"" resourceGuid=""{2C331CF1-DDC1-402D-9300-196724283D9B}"" fqdn=""siteserver.domain.com""/>
</resource>
, Exception: System.InvalidOperationException: Cannot issue certificates at this time because there is no registered master certificate with the specified name.
   at Altiris.NS.Security.Cryptography.CertificateManager.IssueCertificate(Guid id, Guid resourceID, Guid parentID, X500DistinguishedName subject, String scope, CertificateUsageFlags certificateUsage, AsymmetricAlgorithm publicKey, String caName, DateTime expiryTime, Boolean storePrivateKey)
   at Altiris.NS.Security.Cryptography.CertificateManager.IssueCertificate(Guid id, Guid resourceID, Guid parentID, X500DistinguishedName subject, String scope, CertificateUsageFlags certificateUsage, AsymmetricAlgorithm publicKey, String caName, TimeSpan issuingPeriod, Boolean storePrivateKey)
   at Altiris.NS.Security.Cryptography.CertificateManager.IssueCertificate(Guid id, Guid resourceID, Guid parentID, X500DistinguishedName subject, String scope, CertificateUsageFlags certificateUsage, AsymmetricAlgorithm publicKey, String caName)
   at Altiris.NS.Security.Cryptography.AgentCertificateManager.IssueServerCertificate(Guid certID, Guid ResourceID, Guid parentID, String sScope, X500DistinguishedName subject, AsymmetricAlgorithm publicKey)
   at Altiris.NS.AgentManagement.AgentCertificateDistributer.DistributePermanentCertificateByTemporary(CertificateRequestData& requestData)
   at Altiris.NS.AgentManagement.NegotiateCertificateRequest.GetClientCertificate(CertificateRequestData& requestData)
   at Altiris.NS.AgentManagement.NegotiateCertificateRequest.Process(String requestXml, Guid certID, Boolean bEncryptResponse, Boolean bAdminCall, Byte[]& encryptedData))
**CEDUrlStart** :http://entced.symantec.com/entt?product=SMP&version=7.6.1383.0&language=en&module=n/VHGfYhVq3+uaqg4g94f9BZ1/Db7PAMK09Umt97LUTXlFHsjXESHvvraWzyl8s2&error=1184117990&build=**CEDUrlEnd**","Altiris.NS.AgentManagement.NegotiateCertificateRequest.Process","w3wp.exe","273","Errors"

 

Cause

SMP master CA were deleted from "Trusted CA store" on Notification Server.

The Notification Server Certificate Authority certificate is a self-signed certificate that is generated during the installation of the Symantec Management Platform.
This certificate is stored in  trusted Root on Symantec Management Platform and is used for child certificate signing.
The following certificates are signed by the Notification Server Certificate Authority certificate:
 ■ Site server certificate
 ■ Internet gateway agent certificate
 ■ Client certificate
 ■ Temporary certificates of Cloud-enabled agent offline installation package

Warning: Do not edit, replace, or delete the Notification Server Certificate Authority certificate. If this certificate is modified, the CEM stops functioning properly . A public copy of this certificate is also propagated to site server, Internet gateway , CEM client computers, and to the CEM agent of fline installation package.
 

Resolution

Restore the deleted certificates back to "Trusted CA store", these certificates are used internally by SMP for endpoint enrollment and not related to any SSL connection initialization between SMP and endpoints.

These certificates are created only once during first installation of SMP, if you have no back up of the deleted certificate, the attached scripted code shall recreate them:

  1. Run "c:\Program Files\Altiris\Notification Server\Bin>NScript.exe GenerateSMPmasterCA.cs"
    - Two pfx certificates will be generated on same path where this command ran.
    - IMPORTANT: Make note of the 2 "thumbprint values"
  2. Open certificate store:
    - Run, type <mmc> and press return
    - File, Add/remove Snap-in
    - Choose Certificates, on the pop-up window choose "Computer account", then click OK
  3. - Expand "Trusted Root Certification Authority", right click "Certificates" folder, and choose <All tasks, import>
  4. Change file type to "Personal Information Exchange (*.pfx;*.p12)"
  5. Browse to the created certificate and continue the import process by following on screen instructions.
  6. Repeat steps 3 to 5 for the second created certificate.
  7. Modify Registry keys below with the thumbprint values you noted in step 1:
    HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\eXpress\Notification Server\CA\Agent\Thumbprint
    HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\eXpress\Notification Server\CA\Server\Thumbprint
    NB.(backup in advance is  recommended)
    • Warning: Do not copy thumbprint from certificate properties of MMC>Certificate. This may introduce unicode characters that look identical, but thumbprint will not match and certificate will not be found. Either copy thumbprint from output at step 1. or manually type thumbprint into registry.
  8. IIS and Altiris serivices might require restart if the changes do not apply immediately.

Attachments

GenerateSMPmasterCA.cs get_app