Error "Package server could not access own Web Site using HTTPS" on Package Servers with Windows Server 2012
search cancel

Error "Package server could not access own Web Site using HTTPS" on Package Servers with Windows Server 2012

book

Article ID: 163901

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Symantec Management Agent (SMA) logs several messages as seen here:

Package server could not access own Web Site using HTTPS

NOTE: As far as functionality goes, the packages are accessible in the Package Server itself as well when requested by the client machines. For example the following URL returned the expected resources and showing the packages are available via HTTPS request:

https:///Altiris/PS/Share/pkggroup_%7B562664ad-792e-4b54-bce4-50a35096d58c%7D/%7B6D417916-467C-46A7-A870-6D86D9345B61%7D/cache

Environment

ITMS 8.x

Windows 2012 site servers

Cause

IIS is trying to validate the root certificates and unable to find these in the certificate store.

In short, starting with Windows 2012, while attempting the certificate chain validation of non self-signed certificates, IIS now searches in the "Client Authentication Issuers" store.

Resolution

Changes to address this were first included in ITMS 8.0 HF5 and later to handle this situation, the Microsoft changes done in Windows Server 2012 and Windows 8.

The official suggestion from Microsoft is to remove all non self-signed certificates from Trusted Root, described here:

IIS may reject client certificate requests with HTTP 403.7 or 403.16 errors

The changes in SSL are described by Microsoft here:

What's New in TLS/SSL (Schannel SSP)

Actions to fix the problem:

 Copy all the issuer certificates from your certificate chain to the "Client Authentication Issuers" store for Local Computer.

  • The "mmc.exe" console tool should be used for this.

When IIS bindings are already created, the system SSL records need to be modified to point to the correct store. Since the commandline tool does not support editing, you'll need to recreate the system binding as described here:

  1. Get information about existing binding (This command will dump existing bindings information. Find the port that represents desired binding):

    netsh http show sslcert

    NOTE: Save the port, application ID, and certificate thumbprint information somewhere (it will be required at step 3).

  2. Remove the existing binding configuration, e.g.:

    netsh http delete sslcert ipport=0.0.0.0:443

  3. Recreate the binding with the following commands:

    netsh http add sslcert ipport=0.0.0.0:443
    certhash=0b2261ebcbda378c69251942651c46e7cc73674a
    appid={4dc3e181-e14b-4a21-b022-59fc669b0914} sslctlstorename=ClientAuthIssuer

    Important note! The "ipport", "appid" and "certhash" must be set to values obtained at step 1. If you are re-using the same certificate, the certhash will be the same. If you are replacing the certificate, please import the new certificate, then copy the certhash and use that when you are rebinding the certificate at the command line. The appid will be the same one that you gathered earlier.

    NOTE: No restarts are needed.