Unable to register Task Server over HTTPS. Getting: Failed to perform re-register. Forbidden.

book

Article ID: 170308

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server) Task Server

Issue/Introduction

Site Server (running Task service) is failing to register with the SMP after switching to SSL. The Symantec Management Agent (Altiris Agent) connects via SSL with no issue.

Open http communications to SMP and Task Services at task server registers without issue. Switch back to require SSL reset agent and Task Server fails to register.

Error in the Site Server agent logs indicate the client has insufficient privileges to register:

Failed to perform re-register.
Forbidden

So far the agent logs shows the following when the task server tries to register:

Entry 1:
Checking "http://Altiristest01.domain.net/Altiris/TaskManagement/ClientTask/Authenticate.aspx" with credentials domain: "domain" username: "adminaltiris"
-----------------------------------------------------------------------------------------------------
Date: 10/15/2017 3:44:13 AM, Tick Count: 225769093 (2.14:42:49.0930000), Size: 473 B
Process: AtrsHost.exe (7356), Thread ID: 8368, Module: AtrsHost.exe
Priority: 4, Source: Altiris.ClientTask.Server.Communication.NotificationServerWebConnection.CheckCredentials

Entry 2:
NotificationServerWebConnection.PostToNotificationServer()
The remote server returned an error: (403) Forbidden.
   [System.Net.WebException @ System]
   at System.Net.HttpWebRequest.GetResponse()
   at Altiris.DotNetLib.Helpers.AtrsHttpOps.Execute[T](Func`2 action, String url, ICredentials credentials, Boolean isPost, Int32 timeout)
   at Altiris.ClientTask.Server.Communication.NotificationServerWebConnection.PostToNotificationServer(String url, ICredentials nsCredentials, NSWebConnectionBuildRequestStreamDelegate requestStreamDelegate, Int32 nMaxAttempts, Int32 nTimeout)

Exception logged from: 
   at Altiris.DotNetLib.Logging.AtrsLog.ExceptionMessage(String message, Exception exception)
   at Altiris.ClientTask.Server.Logging.NSAgentLog.ReportMessage(Severity severity, String moduleName, String source, Exception exception, String message, Object[] arguments)
   at Altiris.ClientTask.Server.Communication.NotificationServerWebConnection.PostToNotificationServer(String url, ICredentials nsCredentials, NSWebConnectionBuildRequestStreamDelegate requestStreamDelegate, Int32 nMaxAttempts, Int32 nTimeout)
   at Altiris.ClientTask.Server.Communication.NotificationServerWebConnection.CheckCredentials(String clientTaskUrl, NetworkCredential credentials)
   at Altiris.ClientTask.Server.Communication.NotificationServerWebConnection.ValidateCredentials(String clientTaskUrl, NetworkCredential credentials)
   at Altiris.ClientTask.Server.ClientTaskServer.RegisterTaskServer(Version taskServerVersion)
   at Altiris.ClientTask.Server.ClientTaskServer.ReRegister(Version taskServerVersion)
   at Altiris.ClientTask.Server.ClientTaskServer.ProcessRegistrationThreadProc()
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.ThreadHelper.ThreadStart()


-----------------------------------------------------------------------------------------------------
Date: 10/15/2017 3:44:13 AM, Tick Count: 225769093 (2.14:42:49.0930000), Size: 2.42 KB
Process: AtrsHost.exe (7356), Thread ID: 8368, Module: AtrsHost.exe
Priority: 1, Source: Altiris.ClientTask.Server.Communication.NotificationServerWebConnection.PostToNotificationServer

Entry 3:
Failed to perform re-register.
Forbidden

   [System.Web.HttpException @ Altiris.ClientTask.Server]
   at Altiris.ClientTask.Server.Communication.NotificationServerWebConnection.ValidateCredentials(String clientTaskUrl, NetworkCredential credentials)
   at Altiris.ClientTask.Server.ClientTaskServer.RegisterTaskServer(Version taskServerVersion)
   at Altiris.ClientTask.Server.ClientTaskServer.ReRegister(Version taskServerVersion)

Exception logged from: 
   at Altiris.DotNetLib.Logging.AtrsLog.ExceptionMessage(String message, Exception exception)
   at Altiris.ClientTask.Server.Logging.NSAgentLog.ReportMessage(Severity severity, String moduleName, String source, Exception exception, String message, Object[] arguments)
   at Altiris.ClientTask.Server.ClientTaskServer.ReRegister(Version taskServerVersion)
   at Altiris.ClientTask.Server.ClientTaskServer.ProcessRegistrationThreadProc()
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.ThreadHelper.ThreadStart()


-----------------------------------------------------------------------------------------------------
Date: 10/15/2017 3:44:13 AM, Tick Count: 225769109 (2.14:42:49.1090000), Size: 1.61 KB
Process: AtrsHost.exe (7356), Thread ID: 8368, Module: AtrsHost.exe
Priority: 1, Source: Altiris.ClientTask.Server.ClientTaskServer.ReRegister

Cause

Microsoft changed the default way that SSL works with Windows Server 2012 (and Windows 10 as well).  See the following articles for information on how Certificate are used in Windows Server 2012. 

http://technet.microsoft.com/en-us/library/hh831771.aspx

http://support.microsoft.com/kb/2802568

Environment

ITMS 7.6, 8.0, 8.1
Site Servers running on Windows Server 2012 and Windows 10

Resolution

  1. You can try setting the registry keys below to get Windows Server 2012 (or Windows 10) to send the certificate trust list like it did in Windows Server 2008.  On the SMP and Site Servers create the following registry keys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

    Create: ClientAuthTrustMode = dword:2

    Create: SendTrustedIssuerList = dword:1

  2. On the SMP, enable the Task Service advanced settings over the NS Console. Follow INFO3937
  3. After the Task Service advanced settings are visible, under the "Preferred hostname", add/modify the name to have "https://" on it.
  4. Go to the Site Server and request a new configuration on the agent.

Now the task server agent should be able to connect and register.