search cancel

Unable to register to a Task Server if only TLS 1.2 is enabled

book

Article ID: 172653

calendar_today

Updated On:

Products

IT Management Suite Task Server

Issue/Introduction

The customer disabled TLS 1.0 and 1.1. After that, client machines and the Task Server itself can't register since TLS 1.2 is the only allowed protocol.

Messages like these are noticed while the client machine tries to register to the Task Server:

Entry 1:

Path: /Altiris/ClientTaskServer/Register.aspx 
Id: 8.5312 
Error type: Network error 
Error code: An established connection was aborted by the software in your host machine (10053) 
Error note: SocketIOStrategySyncSelect::Send error 

 

Entry 2:

Failed to call web interface by url [https://TaskServer01.domain.com:443/Altiris/ClientTaskServer/Register.aspx?resourceGuid=e2b52c12-a215-44e8-aeea-f979e1ac7cf5&crc=0008000000000EB9], error [0x80072745, An established connection was aborted by the software in your host machine.].

 

Entry 3:

Could not register using "https://TaskServwer01.domain.com:443/Altiris/ClientTaskServer/Register.aspx"

 

Entry 4:

An attempt to register on Task Server [TaskServer01.domain.com] over [https] completed with status [FAILED (may retry)].

Entry 1:

Operation 'Direct: Post' failed. 
Protocol: HTTPS 
Host: TaskServwer01.domain.com:443 
Path: /Altiris/ClientTaskServer/Register.aspx 
Id: 8.5312 
Error type: Network error 
Error code: An established connection was aborted by the software in your host machine (10053) 
Error note: SocketIOStrategySyncSelect::Send error 
Server HTTPS connection info: 
   Server certificate: 
      Serial number: 07 15 9e 7a fc 9f b8 c5 bd b0 eb f2 db a1 05 b8 
      Thumbprint: bf 68 c7 4c b8 5f 40 10 b5 9d 83 dc ec 13 21 42 d3 63 0c 5f 
   Cryptographic protocol: TLS 1.2 
   Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521 
   Cipher algorithm: AES 
   Cipher key length: 256 
   Hash algorithm: SHA384 
   Hash length: 384 
   Key exchange algorithm: ECDH_P521 
   Key length: 521
-----------------------------------------------------------------------------------------------------
Date: 10/8/2018 10:36:54 AM, Tick Count: 121945 (00:02:01.9450000), Size: 1.01 KB
Process: AeXNSAgent.exe (5312), Thread ID: 5604, Module: AeXNetComms.dll
Priority: 1, Source: NetworkOperation

 

Entry 2:

Failed to call web interface by url [https://TaskServer01.domain.com:443/Altiris/ClientTaskServer/Register.aspx?resourceGuid=e2b52c12-a215-44e8-aeea-f979e1ac7cf5&crc=0008000000000EB9], error [0x80072745, An established connection was aborted by the software in your host machine.].
-----------------------------------------------------------------------------------------------------
Date: 10/8/2018 10:36:54 AM, Tick Count: 121945 (00:02:01.9450000), Size: 530 B
Process: AeXNSAgent.exe (5312), Thread ID: 5604, Module: client task agent.dll
Priority: 2, Source: Client Task Agent

 

Entry 3:

Could not register using "https://TaskServer01.domain.com:443/Altiris/ClientTaskServer/Register.aspx"
-----------------------------------------------------------------------------------------------------
Date: 10/8/2018 10:36:54 AM, Tick Count: 121945 (00:02:01.9450000), Size: 350 B
Process: AeXNSAgent.exe (5312), Thread ID: 5604, Module: client task agent.dll
Priority: 2, Source: Client Task Agent

 

Entry 4:

An attempt to register on Task Server [TaskServer01.domain.com] over [https] completed with status [FAILED (may retry)].
-----------------------------------------------------------------------------------------------------
Date: 10/8/2018 10:36:54 AM, Tick Count: 121945 (00:02:01.9450000), Size: 369 B
Process: AeXNSAgent.exe (5312), Thread ID: 5604, Module: client task agent.dll
Priority: 4, Source: Client Task Agent

Environment

ITMS 7.6, 8.0, 8.1

Cause

This is a Microsoft configuration. There are certain places in the registry that sometimes needs to be modified to force TLS 1.2 to be the only one in use.

See:
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
https://support.microsoft.com/en-us/help/3155464/ms16-065-description-of-the-tls-ssl-protocol-information-disclosure-vu

Resolution

  1. Add (or modify if these already exists) the following registry keys with the specified values:

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001 

     
  2. Restart the Symantec Management Agent service, Altiris Object Host Service and Altiris Client Task Service.
  3. Try to register the agent again