search cancel

Clients fail to retrieve CEM permenant certificate.

book

Article ID: 163550

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Managed clients fail to retrieve CEM permenant certificate. While using CEM package works. "8/16/2016 3:34:29 AM","Unable to process request from: 10.10.10.123 /POST/8.0.2548.0 (The caller is unauthorized to request client certificate., 5)","GetClientCertificateMig","w3wp.exe","109","Verbose"

 

Environment

ITMS 7.5, 7.6, 8.0

Cause

"Default Web Site\Altiris\NS\Agent\GetClientCertificateMig.aspx" which is called by managed clients to download CEM permenant certificate validates the connection either via package access credentials or via client temporary certificate, the second option is used by CEM package, while the package access credential validation works for already managed clients.

If the page is called anonymously, or IIS requires SSL client certificate, the error message above will be displayed in SMP verbose logs.
NB. The page must be called via Altiris client using SSL

Resolution

- Open IIS logs and insure that the GetClientCertificateMig.aspx is called with credentials (package access credentials shall be visible just after the port)

- SSL settings for "Default Web Site\Altiris\NS\Agent" should be (Accept)

review C:\Windows\System32\inetsrv\config\ApplicationHost.config
this file should override the mentioned URL to force Windows authentication