Unable to register to task server.

book

Article ID: 169790

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server) Task Server

Issue/Introduction

After upgrading from 7.5 to 8.1, a task server no longer registers to itself or allows clients to connect.

Error code: HTTP status 401:  The request requires user authentication (0x8FA10191)
Error note: Authentication: Failed. Server refused to authenticate with provided credentials.

Cause

Site server is not part of domain.

Further details from the 8.1 SMP Release Notes in the known issues for Task Servers section: "In ITMS (IT Management Suite) 8.1, Anonymous Authentication is disabled for the ClientTaskServer website. That may lead to situation where client computer is not able to access Task Server. For example, if Notification Server and Task Server are in domain and configured under the domain user and the client computer is not in domain. You may need to set up the Agent Connectivity Credentials to let the client computers access the ClientTaskServer website."

Environment

SMP (Symantec Management Platform) and Task Server 8.1, RU1 and RU2 (Release Update).

Resolution

Workaround: Enable Anonymous Authentication to the ClientTaskServer virtual folder.

A fix is available in 8.1 RU4 version. To upgrade refer to http://www.symantec.com/docs/DOC10690

 

Note:
The use of ACC (Altiris Connectivity Credentials) can avoid the need of Anonymous Authentication that previously was needed, as well to avoid entries like "The remote server returned an error: (401) Unauthorized":

You have to add a "NOT" domain user as ACC account on the following places:

  1. Add a not domain user to "Global Agent Setting" under "Authentication tab>Agent Connectivity Credential" (under Settings>All Settings>Agents/Plug-ins>Symantec Management Agent>Settings).
    Note: ACC account could be any account you want, however, please remember that domain accounts will not be automatically created nor unlocked on Site Servers even if check-boxes on "Site Server Settings -> Global Site Server Settings" page are checked (see step 3 below about those settings). Those check-boxes apply only to local accounts. If they want to use any domain account, then they would need to manage it themselves."
  2. If you have different ACC accounts that need to be set for different set of machines, add the user and password to "The Agent Connectivity Credentials that are defined on the 'Global Agent Settings' page are selected" for your active communication profile for that specific set of machines (under Settings>Agents/Plug-ins>Symantec Management Agent Communication Profiles).
    Otherwise, the default value "Use default credentials" refers to the account used under 'Global Agent Settings' > 'Authentication' tab > 'Agent Connectivity Credential' page. You don't have to specify the account if it is the same as your 'Global Agent Settings'
  3. Set the flag "Create the Agent Connectivity Credential on Site Servers" and "re-enable the created local account if it has been locked out" in "Global Site Server Settings>Security Settings" (under Settings>Notification Server>Site Server Settings>Task Service). For more info in how this "Re-enable the created local account if it has been locked out", please see INFO5222 "How the "Re-enable the created local account if it has been locked out" setting works".
  4. Update the Agents configuration on all affected computers