A Package Server (Windows Server 2016) was found that is returning error:
Package Server is configured to publish HTTP(s) codebases, but it could not access its own Web site" in the Agent UI.
The agent logs showed the following error entry:
Package Server could not access own Web Site using HTTPS, although it is configured to serve it. The HTTPS requests from clients cannot be served. See logs for detailed failure reason. (health state: 0x00001321).
orCould not access own HTTPS Web site 'https://SSmachine.domain.com:443/Altiris/PS/ConnectionTest.html', HTTPS requests from clients can fail, error: An existing connection was forcibly closed by the remote host (0x80072746)
When looking under the Package Server tab, we could see that it is able to publish UNC, HTTP and HTTPS codebases. Agent machines assigned to get packages from this Package Server are able to get the files while using the HTTPS link.
Error from the Agent log:
Package Server could not access own Web Site using HTTPS, although it is configured to serve it. The HTTPS requests from clients cannot be served. See logs for detailed failure reason. (health state: 0x00001321).
------------------------------
Date: 1/4/2019 12:08:22 PM, Tick Count: 73882093 (20:31:22.0930000), Size: 461 B
Process: AeXNSAgent.exe (7896), Thread ID: 7212, Module: AeXNSCPackageServer.dll
Priority: 1, Source: Package Server Agent
orCould not access own HTTPS Web site 'https://SSmachine.domain.com:443/Altiris/PS/ConnectionTest.html', HTTPS requests from clients can fail, error: An existing connection was forcibly closed by the remote host (0x80072746)
-----------------------------------------------------------------------------------------------------
Date: 1/4/2019 12:08:22 PM, Tick Count: 73882093 (20:31:22.0930000), Size: 461 B
Process: AeXNSAgent.exe (7896), Thread ID: 7212, Module: AeXNSCPackageServer.dll
Priority: 1, Source: Package Server Agent
Error from System Event Log:
Log Name: System
Source: Schannel
Date: 1/4/2019 12:11:42 PM
Event ID: 36871
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: SiteServer02.domain.com
Description:
A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
<EventID>36871</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-04T17:11:42.000048700Z" />
<EventRecordID>200712</EventRecordID>
<Correlation ActivityID="{1412B7BE-A3A4-0000-D2B8-1214A4A3D401}" />
<Execution ProcessID="644" ThreadID="4064" />
<Channel>System</Channel>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Type">client</Data>
<Data Name="ErrorState">10013</Data>
</EventData>
</Event>
ITMS 8.x
Windows Server 2012, 2016
The Agent Communication Profile for this Site Server was not properly configured. It was missing the proper certificate (none were assigned to it) and TLS was not set for the right version (it had TLS 1.0 selected when TLS 1.2 was the actual version in use).
Make sure that the Site Server and the Site Server Communication Profile are using the same TLS versions.
The following troubleshooting steps were used to resolve this issue and are presented as a way to teach what was used to narrow down the root cause. The following issues were discovered:
Log Name: System
Source: Schannel
Date: 1/4/2019 12:11:42 PM
Event ID: 36871
...
Description:
A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
Based on the "A fatal error occurred while creating a TLS client credential. The internal error state is 10013" entry we realized that this system may be using TLS 1.2 as the default version for this Site Server but it may not be configured properly. We checked again the Site Server communication profile for this site server (same location under Step 1 above) and it had only TLS 1.0 selected. We checked the other versions as well (1.1 and 1.2) and saved the change.
Then we updated the agent configuration and the issue with "Package Server could not access own Web Site using HTTPS" stopped and it was able to access its own website.
Note: Since we changed the TLS versions allowed for this site server in the agent communication profile, we restarted the Altiris Client Task Data Loader and Altiris Object Host Service services on the Site Server just to make sure Task Client-Server continued working and refreshed its connections. We suggest if you see other TLS/SChannel issues on Site Servers to add the registry keys suggested under:
170734 "Enabling TLS 1.2 for the ITMS Management Platform Environment"