search cancel

'Access Denied' when Cloud enabled agents (or internal ones) try to access GetClientCertificates.aspx and GetClientCertificatesMig.aspx

book

Article ID: 163468

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Connections issues for Cloud-Enabled Management (CEM) agents not able to connect when no longer in the local intranet.

As well, new machine, either by installing it via Image or by pushing it, will not register back to the SMP. The Agent UI shows:
Failed to send basic inventory
Error: Cannot send the event, the event queue is blocked (0x80042B01)

 

The agent logs show errors like this one:

Operation 'Direct: Post' failed.
Protocol: HTTPS
Host: <
SMP Server FQDN>:443
Path: /altiris/NS/Agent/GetClientCertificateMig.aspx
Connection Id: 8.2704
Communication profile Id: {5BE9222A-2B4A-41D6-834F-DEFFC7A1F3AB}
Error type: SMP Server error
Error code: Access is denied (0x00000005)

Error 1:
Failed to send basic inventory, COM error: Cannot send event, the computer has not been registered on the server (0x80042B01)
----------------------------------------------------------------------------

Date: 7/13/2016 4:03:52 PM, Tick Count: 18967537 (05:16:07.5370000), Size: 358 B
Process: AeXNSAgent.exe (956), Thread ID: 5652, Module: AeXNSAgent.exe
Priority: 1, Source: ConfigServer


Error 2:
Operation 'Direct: Post' failed. 
Protocol: HTTP 
Original Host: <SMP Server FQDN>:80
Real Host: <SMP Server FQDN>:80
Path: /Altiris/NS/Agent/GetClientCertificateMig.aspx 
Error type: SMP Server error 
Error code: Access is denied (0x00000005) 
Error note: HTTP Status 200: 200 OK


Warning 1:
Request
'HTTP://<SMP Server FQDN>:80/Altiris/NS/Agent/GetClientCertificateMig.aspx?Encrypted=1';
failed, COM error: Access is denied (0x80070005)
...
Process: AeXNSAgent.exe (956), Thread ID: 5652, Module: AeXNSAgent.exe
Priority: 2, Source: ConfigServer


Error 3:
Attempted CEM gateway certificate negotiation failed.
...
Process: AeXNSAgent.exe (956), Thread ID: 5652, Module: AeXNSAgent.exe
Priority: 1, Source: ConfigServer



Additional messages like these may be present when trace and verbose logging is enabled:

Entry 1:
Attempted CEM nsagent certificate negotiation failed.
...
Process: AeXNSAgent.exe (7008), Thread ID: 7560, Module: AeXNSAgent.exe
Priority: 1, Source: ConfigServer



Entry 2:
Operation 'Direct: Post' failed. 
Protocol: HTTPS 
Host: <SMP Server FQDN>:443 
Path: /altiris/NS/Agent/GetClientCertificate.aspx 
Error type: SMP Server error 
Error code: Access is denied (0x00000005) 
Error note: HTTP Status 200: 200 OK 
Server HTTPS connection info: 
   Server certificate: 
      Serial number: <16 character certificate serial>
      Thumbprint: <40 character certificate thumbprint>
   Cryptographic protocol: TLS 1.0 
...
Process: AeXNSAgent.exe (7008), Thread ID: 7560, Module: AeXNetComms.dll
Priority: 1, Source: NetworkOperation

Cause

Misconfiguration in IIS for the GetClientCertificates.aspx and GetClientCertificatesMig.aspx and the expectation of a Client Agent Settings policy just for CEM agents.

The CEM agents do not have a dedicated client settings policy, as such, they were using the default client communications policy directing them to communicates with the SMP server directly instead of the CEM gateway server.

Environment

SMP 8.0 HF2 or later

Resolution

A) Verify the settings below matches with the correct values for the following pages:

Under IIS Manager:

  1. SERVERNAME>Sites>Symantec Agent>Altiris>NS>Agent>GetClientCertificate.aspx
    • Under Authentication, Anonymous Authentication is set to Status 'Enabled'
    • Under SSL Settings, 'Require SSL' is checked and Client Certificates is set to 'Require'
  2. SERVERNAME>Sites>Symantec Agent>Altiris>NS>Agent>GetClientCertificateMig.aspx
    • Under Authentication, Anonymous Authentication is set to Status 'Disabled'
    • Under SSL Settings, 'Require SSL' is checked and Client Certificates is set to 'Ignore'

B) Check that there is a Targeted Agent Settings for your CEM Clients that uses the proper Agent Communication Profile for port 443

NOTE: A similar issue created by the Offline CEM package installation can be found in TECH235782 

 

NOTE: In some instances put attention to what Website is trying to connect. If these machines are still connected to the internal network, check that these pages have the right settings under the Default Website:

Under IIS Manager:

  1. SERVERNAME>Sites>Default Website>Altiris>NS>Agent>GetClientCertificate.aspx
  • Under Authentication, Anonymous Authentication is set to Status 'Enabled'
  • Under SSL Settings, 'Require SSL' is checked and Client Certificates is set to 'Require'
  1. SERVERNAME>Sites>Default Website>Altiris>NS>Agent>GetClientCertificateMig.aspx
  • Under Authentication, Anonymous Authentication is set to Status 'Disabled'
  • Under SSL Settings, 'Require SSL' is unchecked and Client Certificates is set to 'Ignore'

 

If the error refers to something like this:

Operation 'Direct: Post' failed.
Protocol: HTTPS
Host: <SMP Server FQDN>:443
Path: /altiris/NS/Agent/GetClientCertificate.aspx

means that is trying to reach the Default Website, which uses port 443.

If you see:

Operation 'Direct: Post' failed.
Protocol: HTTPS
Host: <SMP Server FQDN>:4726
Path: /altiris/NS/Agent/GetClientCertificate.aspx

means that is trying to reach the Symantec Agent Website, which uses port 4726.