ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

COM error: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331)

book

Article ID: 172710

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

The customer has enabled only TLS 1.2 and that it is the only version that he wants to use in their environment. FIPS is also enabled
The Agent Communication Profile used for these new client machines (which usually is the default one) has only TLS 1.2 checked and the other two (1.0 and 1.1) are not.

If TLS 1.2 is the only one box checked on the communication profile and if a new machine is setup, what they see is that those machines can't communicate back.
If they check the box for TLS 1.0 (and no necessarily 1.1), then those machines start talking just fine.

When this server tries to connect to the SMP for configuration requests or send basic inventory, the following messages are displayed on the agent logs:

Request 'HTTPS://altirisapp01.domain.edu:443/Altiris/NS/Agent/CreateResource.aspx' failed, COM error: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331)

 

On the event logs from the machine that is not connecting, you may see the following entry:

Log Name:      System
Source:        Schannel
Date:          10/04/2015 9:21:17 AM
Event ID:      36871
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:     
Description:
A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Request 'HTTPS://altirisapp01.domain.edu:443/Altiris/NS/Agent/CreateResource.aspx' failed, COM error: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331)
-----------------------------------------------------------------------------------------------------
Date: 10/15/2018 10:23:30 AM, Tick Count: 1024968312 (11.20:42:48.3120000), Size: 448 B
Process: AeXNSAgent.exe (5504), Thread ID: 620, Module: AeXNSAgent.exe
Priority: 2, Source: ConfigServer
 


Configure Server Mode: Failed to obtain the machine resource GUID, error: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331)
-----------------------------------------------------------------------------------------------------
Date: 10/15/2018 10:23:30 AM, Tick Count: 1024968312 (11.20:42:48.3120000), Size: 408 B
Process: AeXNSAgent.exe (5504), Thread ID: 620, Module: AeXNSAgent.exe
Priority: 2, Source: ConfigServer
 


Failed to register agent. Registration status 'Not registered'. Next retry in 60 min.
-----------------------------------------------------------------------------------------------------
Date: 10/15/2018 10:23:30 AM, Tick Count: 1024968312 (11.20:42:48.3120000), Size: 311 B
Process: AeXNSAgent.exe (5504), Thread ID: 620, Module: AeXNSAgent.exe
Priority: 2, Source: Agent
 

Cause

Since the Symantec Management Platform (SMP) is set to use FIPS, under "https://social.technet.microsoft.com/Forums/ie/en-US/aaced205-b0ec-4874-b440-8075dd74d8df/a-fatal-error-occurred-while-creating-an-ssl-client-credential-the-internal-error-state-is-10013?forum=exchangesvradmin" is mentioned that there is setting needed to be enabled:
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.

Environment

ITMS 8.1, 8.5

Resolution

On the SMP:

  1. Check if "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" is enabled
  • Control Panel, click Administrative Tools, and then double-click Local Security Policy.
  • Local Security Settings, expand Local Policies, and then click Security Options.
  • Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and see if it is set to Enabled.

On the machine that is not connecting:

  1. If the SMP has "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing", then you need to enable it here as well.
  2. Restart machine