ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Cloud Enabled Management clients are unable to communicate with SMP 7.5 SP1 on Windows Server 2012

book

Article ID: 162168

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Symantec Agent CEM Web Site doesn't pass requests and nse data from CEM Gateway to the SMP due error 403: Access Denied on NS 7.5 SP1 machine.

This issue leads to have no data about CEM Gateway in reports on NS 7.5 SP1 server.

Also due this issue, clients in CEM mode are unable to communicate with NS 7.5 SP1 server, because CEM WebSite is also rejecting these requests and clients *.nse data.

Note! There is no problems if the same SMP 7.5 SP1 is installed on Windows 2008 R2 SP1 x64 Server. 

event date='11/26/2014 13:49:53.2680000 +02:00' severity='1'
hostName='client' source='NetworkOperation' module='AeXNetComms.dll'
process='AeXNSAgent.exe' pid='10084' thread='6328' tickCount='59270083' >
  <![CDATA[Operation 'Head' failed. 
Protocol: http 
Host: server.local 
Port: 443 
Path: /Altiris/NS/Agent/GetClientPolicies.aspx 
Http status: 403 
Secure: Yes 
Id: {F6BE15B5-23BC-43AB-A64C-5674359EEF10} 
Error type: HTTP error 
Error result: 0x80042D21 
Error code: 0 
Error note: HTTP status: 403 Forbidden. Empty response content received,
probably web server is not running or URL is invalid. In some cases Windows can
return response header with Content-Length field but with empty response payload 
Error message: Error 0x80042D21 (No description available)]]>
</event>
<event date='11/26/2014 13:49:53.2680000 +02:00' severity='1'
hostName='client' source='ConfigServer' module='AeXNSAgent.exe'
process='AeXNSAgent.exe' pid='10084' thread='6328' tickCount='59270083' >
  <![CDATA[Policy request failed: HTTP status: 403 Forbidden. Empty response
content received, probably web server is not running or URL is invalid. In some
cases Windows can return response header with Content-Length field but with
empty response payload (0x80042D21)]]>
</event>


<event date='11/26/2014 13:49:57.4640000 +02:00' severity='1'
hostName='client' source='NetworkOperation' module='AeXNetComms.dll'
process='AeXNSAgent.exe' pid='10084' thread='6328' tickCount='59274280' >
  <![CDATA[Operation 'Head' failed. 
Protocol: http 
Host: server.local 
Port: 443 
Path: /Altiris/NS/Agent/PostEvent.asp 
Http status: 0 
Secure: Yes 
Id: {74D24924-79A0-4D4B-997B-B4599FC7AC52} 
Error type: HTTP error 
Error result: 0x80042D24 
Error code: 0 
Error note: HttpRequest::ReadHeaders error. Bad SMP server version 
Error message: Error 0x80042D24 (No description available)]]>
</event>
<event date='11/26/2014 13:49:57.4800000 +02:00' severity='1'
hostName='client' source='ConfigServer' module='AeXNSAgent.exe'
process='AeXNSAgent.exe' pid='10084' thread='6328' tickCount='59274295' >
  <![CDATA[Failed to send basic inventory: HttpRequest::ReadHeaders error. Bad
SMP server version (0x80042D24)]]>
</event>


<event date='11/26/2014 13:50:02.7840000 +02:00' severity='1'
hostName='client' source='NetworkOperation' module='AeXNetComms.dll'
process='AeXNSAgent.exe' pid='10084' thread='8464' tickCount='59279599' >
  <![CDATA[Operation 'Head' failed. 
Protocol: http 
Host: server.local 
Port: 443 
Path: /Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx 
Http status: 403 
Secure: Yes 
Id: {E3B3B87F-70A9-4E59-8880-CDDFA728C1BC} 
Error type: HTTP error 
Error result: 0x80042D21 
Error code: 0 
Error note: HTTP status: 403 Forbidden. Empty response content received,
probably web server is not running or URL is invalid. In some cases Windows can
return response header with Content-Length field but with empty response payload 
Error message: Error 0x80042D21 (No description available)]]>
</event>
<event date='11/26/2014 13:50:02.7840000 +02:00' severity='2'
hostName='client' source='Client Task Agent' module='client task
agent.dll' process='AeXNSAgent.exe' pid='10084' thread='8464' tickCount='59279599' >
  <![CDATA[Failed to call web interface by url
[https://server.local/Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx?resourceGuid=6dc4e14b-fd41-45a2-870f-744378e892ee&shares=1],
error [0x80042D21, IDispatch error #11041].]]>
</event>


 

Cause

On this environment a not self-signed certificate was placed in trusted root. So it works exactly according to MS documentation for 2012:

"If the Trusted Root Certification Authorities store that was used contains a mix of Root (self-signed) and certification authority (CA) Issuer certificates, only the CA Issuer certificates will be sent to the server by default."

As specified in Microsoft KB article: http://support.microsoft.com/kb/2802568

Environment

SMP 7.5 SP1

SMP installed on Windows Server 2012

Resolution

Workaround:

set [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL] "ClientAuthTrustMode"=dword:00000002

Futher details are available here:

https://technet.microsoft.com/en-us/library/hh831771.aspx