search cancel

The client and server cannot communicate. TLS version mismatch. Error: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331)

book

Article ID: 162386

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

After enabling TLS (Transport Layer Security) version 1.1 or 1.2, the clients in your environment become disconnected with the following error: 

  • InitializeSecurityContext error while client handshake: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331).  If you revert back to using TLS 1.0, communication functions as normal.

Other possible errors:

  • Failed to initialize credentials, error: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331)
  • Error note: Failed to create credentials object

Cause

In the communication profile. appropriate TLS Versions are not checked

or

Transport Layer Security (TLS) is not completely enabled on the Symantec Management Platform server. Allow agent and server to both use the same TLS algorithms.  This is often caused by the agent profile only having TLS 1.0 checked and the agent operating system only allowing TLS 1.2.

Windows Server 2008 R2 and possibly Window Server 2012

Resolution

First in the console, check the communication profile which agent tries to connect and make sure the appropriate TLS options are enabled:

If that was checked, then:

Reference Microsoft article:  https://technet.microsoft.com/en-us/library/dn786418.aspx

You will notice this article indicates that you need to create a registry key for TLS version 1.1 or/and 1.2 based upon your desired protocol.  While the article also references TLS 1.0, errors are not experienced when using 1.0.

As per the linked Microsoft article, on your SMP, open the registry and do the following:

  1. Create registry entry:  HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
  2. Create a new DWORD value of Enabled with a decimal value of 0.
  3. In a few circumstances this was found not to work.  Upon further testing, it seems like the DWORD value should be:  DisabledByDefault with a decimal value of 0.
  4. A server restart is required after making this change.  After rebooting the SMP, clients should be able to connect without error.

To verify this you should reference the following registry key to make sure it exists: 

  • HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
    REG_DWORD value of:  DisabledByDefault with a value of 0

 

Related Issues: 

CEM Clients receive connection error with TLS 1.1 or 1.2 but connect successfully with TLS 1.0

 

Additional Microsoft Forum posts with resolution possibilities:

https://forums.iis.net/t/1233122.aspx

https://social.technet.microsoft.com/Forums/ie/en-US/aaced205-b0ec-4874-b440-8075dd74d8df/a-fatal-error-occurred-while-creating-an-ssl-client-credential-the-internal-error-state-is-10013?forum=exchangesvradmin

https://social.technet.microsoft.com/Forums/lync/en-US/e70a8dbc-6f48-4fde-a93b-783554344822/a-fatal-error-occurred-when-attempting-to-access-the-ssl-client-credential-private-key?forum=ocscertificates

Attachments