CEM Agent cannot update configuration, agent is not registered yet. Unable to generate new CEM agent installation package: Failed to generate package. Access is denied.
search cancel

CEM Agent cannot update configuration, agent is not registered yet. Unable to generate new CEM agent installation package: Failed to generate package. Access is denied.

book

Article ID: 173266

calendar_today

Updated On:

Products

Client Management Suite Server Management Suite

Issue/Introduction

You have Cloud Enabled Management (CEM) agents that are unable to register with the Notification Server (NS), or you are attempting to generate a CEM agent installation package and get a "Failed to generate package. Access is denied" error.

In this case we were attempting to test correcting the first issue by installing a new CEM agent to ensure the correct certificates were included and installed.

Initial agent warnings and errors:

Warning 1: CEM certificates response format is invalid

Warning 2: Failed to receive CEM certificates from https://itms01.domain.local:443/altiris/NS/Agent/GetClientCertificate.aspx in CEM mode, error: The data is invalid (0x8007000D)

Warning 3: Configure Server Mode: CEM mode was not initialized successfully, will retry

Warning 4: Failed to register agent. Registration status 'Not registered'. Next retry in 60 min.

Errors (many) : CTAgent::GetAgentStatus(): CAtrsException exception, error: m_taskStatusCollector->GetTaskStatus failed, OS error: Invalid pointer (0x80004003), at line 1585

   Note the agent showed as connected to the NS in Agent Settings tab, but not registered to a Task Server in Task Status tab

 

Error seen on the NS when attempting to generate a CEM agent package:

Failed to generate agent package

Access is denied
   [Altiris.NS.Exceptions.AeXException @ Altiris.NS.StandardItems]
   at Altiris.NS.StandardItems.AgentManagement.CEMPackageRegistrator.BuildSitePackage(PackageMode mode, String siteIdentifier, IEnumerable`1 gateways, IEnumerable`1 resourceTargets, IEnumerable`1 organizationalGroups, String additionalInstallParams, DateTime requestedPackageExpiry, AgentPackageParameters packageParams, DateTime& packageExpiry, String& installXML)
   at Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.GenerateCEMPackage(AgentPackageParameters packageParams)
   at Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.OnGeneratePackage(Object sender, EventArgs e)

Exception logged from:
   at Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.ReportPackageGenrationException(Exception)
   at Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.OnGeneratePackage(Object, EventArgs)
   at Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.RaisePostBackEvent(String)
   at System.Web.UI.Page.ProcessRequestMain(Boolean, Boolean)
   at System.Web.UI.Page.ProcessRequest(Boolean, Boolean)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(System.Web.HttpContext)
   at Altiris.NS.UI.Controls.PageCachePage.ProcessRequest(System.Web.HttpContext)
   at Altiris.NS.UI.AltirisPage.ProcessRequest(System.Web.HttpContext)
   at System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(System.Web.HttpApplication+IExecutionStep)
   at System.Web.HttpApplication.ExecuteStep(System.Web.HttpApplication+IExecutionStep, Boolean&)
   at System.Web.HttpApplication+PipelineStepManager.ResumeSteps(Exception)
   at System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, AsyncCallback)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)

User [DOMAIN\APPID], Auth [DOMAIN\APPID], AppDomain [/LM/W3SVC/1/ROOT/Altiris/NS-3-131904958833856860]

HTTP [POST]: http://localhost/Altiris/NS/Admin/ClientManagement/IbcmAgentInstallationPackage.aspx
 ip: [127.0.0.1]; languages: [en-US]; content-length: [20053];
 response: [200 OK]; x-smp-nsversion: [8.1.4528.0];

Windows event logs - Security Logs on NS showed:

Account Name: <AppID Name>
Account Domain: <Domain Name>
Logon ID: <Login ID>

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: {A8598ED0-C16A-42FF-B4FB-BC2CF542D248}
Key Type: Machine key.

Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016

Environment

Issue seen on ITMS version 8.1 RU7 with the NS installed on a Windows 2012 R2 server.
Also, it could occur with ITMS 8.5.

Cause

The Application Identity (Altiris Service Account) did not have needed permissions on the folder ProgramData\Microsoft\Crypto\RSA\MachineKeys

Resolution

Follow below steps:

  1. Browse to the following location: C:\ProgramData\Microsoft\Crypto\RSA\
  2. Right click on 'MachineKeys' directory and select Properties.
  3. Select Security.
  4. Click Edit.
  5. Select Add.
  6. Give the Application Identity Account name.
  7. Assign, at minimum, the following:
    • Modify
    • Read & Execute
    • List folder contents
    •  Read
    • Write
  8. Click on Check Names and click OK.
  9. Click Apply and select Continue and click OK.

NOTE: After hitting apply, "Access Denied" errors may appear on as many as 5 subdirectories. This is normal in many situations, click accept.

Attachments

Powered by Wolken Software