search cancel

Getting warnings about Altiris.NS.Exceptions.NSComException: Data decryption fails: The parameter is incorrect.

book

Article ID: 174007

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

After migrating to a new SMP server (like from 8.1 RU7 (OS: Windows Server 2008) to 8.5 RU1 (OS: Windows Server 2016), the following warnings were noticed when most client computers were trying to post their basic inventory:

Fail to handle action[action=60c00ef0-9dd9-4f52-bcf8-e4116a4470be, id=80c58c3f-4d23-4a77-a634-fa5ece2952bf, plugin=00000000-0000-0000-0000-000000000000, data=Symantec.WebSockets.AgentSocketStream, params=6] from agent[agentGuid=2040c5e5-4778-4d41-b6b7-d7741bb785ad, auth=True, connId=17ed3ec5-3002-449e-bb90-b48c14f9cd57, addr=10.10.26.58:55711, state=Opened]
System.AggregateException: One or more errors occurred. ---> Altiris.NS.Exceptions.NSComException: Data decryption fails: The parameter is incorrect.

As well some other NS log entries seems to be related:

Altiris.NS.Exceptions.NSComException: Agent is not trusted
Altiris.NS.Exceptions.NSComException: The access is forbidden for unmanaged resources
Altiris.NS.Exceptions.NSComException: The server is currently busy and will not process any client connection authentication requests.
Altiris.NS.Exceptions.NSComException: Agent connection is not authenticated
Altiris.NS.Exceptions.NSComException: The server is currently paused and will not process any client policy requests.
Altiris.NS.Exceptions.NSComException: The specified host resource must change its guid

 

Fail to handle action[action=60c00ef0-9dd9-4f52-bcf8-e4116a4470be, id=80c58c3f-4d23-4a77-a634-fa5ece2952bf, plugin=00000000-0000-0000-0000-000000000000, data=Symantec.WebSockets.AgentSocketStream, params=6] from agent[agentGuid=2040c5e5-4778-4d41-b6b7-d7741bb785ad, auth=True, connId=17ed3ec5-3002-449e-bb90-b48c14f9cd57, addr=10.10.26.58:55711, state=Opened]
System.AggregateException: One or more errors occurred. ---> Altiris.NS.Exceptions.NSComException: Data decryption fails: The parameter is incorrect.

   at Altiris.NS.Security.Cryptography.AsymmetricKeyEncryption.DecryptToMemoryStream(Byte[] data)
   at Altiris.NS.Security.Cryptography.AsymmetricKeyEncryption.DecryptToStreamWithNSKey(Byte[] data)
   at Altiris.NS.StandardItems.AgentManagement.Communication.Handlers.AgentActionNSEHandler.<Handle>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Symantec.AgentActions.Handlers.AgentActionHandler`2.<Handle>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Symantec.AgentActions.Handlers.AgentActionHandler`2.<Handle>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Altiris.NS.AgentManagement.Communication.Connections.NSAgentConnection.<HandleAction>d__33.MoveNext()
   --- End of inner exception stack trace ---
---> (Inner Exception #0) Altiris.NS.Exceptions.NSComException (0x80077009): Data decryption fails: The parameter is incorrect.

   at Altiris.NS.Security.Cryptography.AsymmetricKeyEncryption.DecryptToMemoryStream(Byte[] data)
   at Altiris.NS.Security.Cryptography.AsymmetricKeyEncryption.DecryptToStreamWithNSKey(Byte[] data)
   at Altiris.NS.StandardItems.AgentManagement.Communication.Handlers.AgentActionNSEHandler.<Handle>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Symantec.AgentActions.Handlers.AgentActionHandler`2.<Handle>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Symantec.AgentActions.Handlers.AgentActionHandler`2.<Handle>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Altiris.NS.AgentManagement.Communication.Connections.NSAgentConnection.<HandleAction>d__33.MoveNext()<---

-----------------------------------------------------------------------------------------------------
Date: 3/13/2019 12:10:05 PM, Tick Count: 5939562 (01:38:59.5620000), Size: 3.31 KB
Process: AeXSvc (3792), Thread ID: 93, Module: Altiris.NS.dll
Priority: 2, Source: AgentActions



>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Failed obtain current web certificate for CEM web site.
-----------------------------------------------------------------------------------------------------
Date: 3/13/2019 12:10:07 PM, Tick Count: 5941265 (01:39:01.2650000), Size: 361 B
Process: AeXSvc (3792), Thread ID: 107, Module: Altiris.NS.StandardItems.dll
Priority: 1, Source: Altiris.NS.StandardItems.CertificateConfiguration.CEMDigitalCertificateChainBuilder.BuildChain

 

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

NegotiateCertificateRequest.Process() failed to get certificate chaing of agent web site.

Failed to locate certificates for web.
   [System.InvalidOperationException @ Altiris.NS]
   at Altiris.NS.AgentManagement.NegotiateCertificateRequest.GetAdditionalCertificates(String& sOutputXml)

Exception logged from:
   at Altiris.NS.AgentManagement.NegotiateCertificateRequest.GetAdditionalCertificates(String&)
   at Altiris.NS.AgentManagement.NegotiateCertificateRequest.GenerateLegacyResponse(String, Altiris.NS.AgentManagement.AgentCertificateDistributer+CertificateRequestData, System.Guid, Boolean, System.Security.Cryptography.X509Certificates.X509Certificate2&, System.Security.Cryptography.X509Certificates.X509Certificate2&)
   at Altiris.NS.AgentManagement.NegotiateCertificateRequest.Process(String, System.Guid, Boolean, Boolean, Byte[]&, System.Collections.Generic.Dictionary`2[System.String,System.Security.Cryptography.X509Certificates.X509Certificate2]&, Altiris.NS.AgentManagement.ICertificateDistributor)
   at Altiris.NS.StandardItems.AgentManagement.Communication.Handlers.AgentActionGetClientCertificateHandler.HandleImpl(Altiris.NS.AgentManagement.Communication.Connections.INSAgentConnection, Symantec.AgentActions.Actions.IAgentAction<String>, Boolean)
   at Symantec.AgentActions.Handlers.<Handle>d__5<T,TC>.MoveNext()
   at System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start<TStateMachine>(TStateMachine&)
   at Symantec.AgentActions.Handlers.AgentActionHandler<T,TC>.Handle(Symantec.AgentActions.Connections.IAgentConnection, Symantec.AgentActions.Actions.IAgentAction)
   at Altiris.NS.AgentManagement.Communication.Connections.NSAgentConnection+<HandleAction>d__33.MoveNext()
   at System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start<TStateMachine>(TStateMachine&)
   at Altiris.NS.AgentManagement.Communication.Connections.NSAgentConnection.HandleAction(Symantec.AgentActions.Actions.IAgentAction)
   at System.Threading.Tasks.Task<TResult>.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, Object, Boolean)
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(System.Threading.Tasks.Task&)
   at System.Threading.Tasks.Task.ExecuteEntry(Boolean)
   at System.Threading.ThreadPoolWorkQueue.Dispatch()

-----------------------------------------------------------------------------------------------------
Date: 3/13/2019 12:10:07 PM, Tick Count: 5941281 (01:39:01.2810000), Size: 2.81 KB
Process: AeXSvc (3792), Thread ID: 107, Module: Altiris.NS.dll
Priority: 1, Source: Altiris.NS.AgentManagement.NegotiateCertificateRequest.GetAdditionalCertificates

 

Cause

Invalid certificates on affected client machines. Symantec Management Agent encrypts NSEs with a NS public key and NS decrypts it with a private key. If the agent has a wrong NS key you will get this error.   The agent must re-sync the keys in this error. Almost all warnings are generated by NSEs posted by the affected client machines.

Environment

ITMS 8.x

Migration to a new SMP Server

Resolution

Verify that the proper certificates are shown in the Agent Communication profiles, in the Default Web Site and Symantec Agent site bindings, and that the client machines have those certificates under the Trusted Root Certificate store.

Note:  Reinstalling the Symantec Management Agent seems to be the fastest way to get those certificates in place if the SMP has them in the Agent Communication profile and IIS sites bindings.