ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CEM Agent cannot update configuration, agent is not registered yet. Unable to generate new CEM agent installation package: Failed to generate package. Access is denied.

book

Article ID: 173266

calendar_today

Updated On:

Products

Client Management Suite Server Management Suite

Issue/Introduction

You have Cloud Enabled Management (CEM) agents that are unable to register with the Notification Server (NS), or you are attempting to generate a CEM agent installation package and get a "Failed to generate package. Access is denied" error.

In this case we were attempting to test correcting the first issue by installing a new CEM agent to ensure the correct certificates were included and installed.

Initial agent warnings and errors:

Warning 1: CEM certificates response format is invalid

Warning 2: Failed to receive CEM certificates from https://itms01.domain.local:443/altiris/NS/Agent/GetClientCertificate.aspx in CEM mode, error: The data is invalid (0x8007000D)

Warning 3: Configure Server Mode: CEM mode was not initialized successfully, will retry

Warning 4: Failed to register agent. Registration status 'Not registered'. Next retry in 60 min.

Errors (many) : CTAgent::GetAgentStatus(): CAtrsException exception, error: m_taskStatusCollector->GetTaskStatus failed, OS error: Invalid pointer (0x80004003), at line 1585

   Note the agent showed as connected to the NS in Agent Settings tab, but not registered to a Task Server in Task Status tab

 

Error seen on the NS when attempting to generate a CEM agent package:

Failed to generate agent package

Access is denied
   [Altiris.NS.Exceptions.AeXException @ Altiris.NS.StandardItems]
   at Altiris.NS.StandardItems.AgentManagement.CEMPackageRegistrator.BuildSitePackage(PackageMode mode, String siteIdentifier, IEnumerable`1 gateways, IEnumerable`1 resourceTargets, IEnumerable`1 organizationalGroups, String additionalInstallParams, DateTime requestedPackageExpiry, AgentPackageParameters packageParams, DateTime& packageExpiry, String& installXML)
   at Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.GenerateCEMPackage(AgentPackageParameters packageParams)
   at Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.OnGeneratePackage(Object sender, EventArgs e)

Exception logged from:
   at Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.ReportPackageGenrationException(Exception)
   at Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.OnGeneratePackage(Object, EventArgs)
   at Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.RaisePostBackEvent(String)
   at System.Web.UI.Page.ProcessRequestMain(Boolean, Boolean)
   at System.Web.UI.Page.ProcessRequest(Boolean, Boolean)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(System.Web.HttpContext)
   at Altiris.NS.UI.Controls.PageCachePage.ProcessRequest(System.Web.HttpContext)
   at Altiris.NS.UI.AltirisPage.ProcessRequest(System.Web.HttpContext)
   at System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(System.Web.HttpApplication+IExecutionStep)
   at System.Web.HttpApplication.ExecuteStep(System.Web.HttpApplication+IExecutionStep, Boolean&)
   at System.Web.HttpApplication+PipelineStepManager.ResumeSteps(Exception)
   at System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, AsyncCallback)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)

User [DOMAIN\APPID], Auth [DOMAIN\APPID], AppDomain [/LM/W3SVC/1/ROOT/Altiris/NS-3-131904958833856860]

HTTP [POST]: http://localhost/Altiris/NS/Admin/ClientManagement/IbcmAgentInstallationPackage.aspx
 ip: [127.0.0.1]; languages: [en-US]; content-length: [20053];
 response: [200 OK]; x-smp-nsversion: [8.1.4528.0];

Windows event logs - Security Logs on NS showed:

Account Name: <AppID Name>
Account Domain: <Domain Name>
Logon ID: <Login ID>

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: {A8598ED0-C16A-42FF-B4FB-BC2CF542D248}
Key Type: Machine key.

Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016

Cause

The Application Identity (Altiris Service Account) did not have needed permissions on the folder ProgramData\Microsoft\Crypto\RSA\MachineKeys

Environment

Issue seen on ITMS version 8.1 RU7 with the NS installed on a Windows 2012 R2 server.
Also, it could occur with ITMS 8.5.

Resolution

Follow below steps:

  1. Browse to the following location: C:\ProgramData\Microsoft\Crypto\RSA\
  2. Right click on 'MachineKeys' directory and select Properties.
  3. Select Security.
  4. Click Edit.
  5. Select Add.
  6. Give the Application Identity Account name.
  7. Assign, at minimum, the following:
    • Modify
    • Read & Execute
    • List folder contents
    •  Read
    • Write
  8. Click on Check Names and click OK.
  9. Click Apply and select Continue and click OK.

NOTE: After hitting apply, "Access Denied" errors may appear on as many as 5 subdirectories. This is normal in many situations, click accept.

Attachments