search cancel

Failing to register to a task server due to multiple agent communication profiles for the same SMP server

book

Article ID: 175117

calendar_today

Updated On:

Products

IT Management Suite Client Management Suite

Issue/Introduction

The main issue is that the SMP can't register to a Task Server.
When looking at the issue and the NS logs showed the following (after enabling Task verbosity logging):


Entry 1
It shows that we are trying to reach the registration page:

CTaskServerNetCommsConnection::_CallMethod(): Posting to url [https://smpserver.domain.com:443/Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx?shares=1&resourceGuid=c28e81a3-db55-4ab0-b95f-12796fe27e2a&crc=0008000500001099].
-----------------------------------------------------------------------------------------------------


Entry 2:
Calling NS server endpoint 'https://smpserver.domain.com:443/Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx', ID: {3C81AE14-C7C0-4988-BBB8-5DD3976A7A84}, registration ID: None
-----------------------------------------------------------------------------------------------------

Entry 3:
However, we failed to authenticate with the provided credentials:

Operation 'Direct: Head' failed.
Protocol: HTTPS
Host: smpserver.domain.com:443
Path: /Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx
Connection Id: 1193.5980
Communication profile Id: {C94E6833-9E8F-4227-A8AE-A8D072547ABA}
Throttling: 0 0 0
Error type: HTTP error
Error code: HTTP status 401: The request requires user authentication (0x8FA10191)
Error note: Authentication failed, server refused to authenticate with provided credentials
Server HTTPS connection info:
Server certificate:
Serial number: 13 00 00 0a 51 32 14 16 c9 fe 8a 02 be 00 00 00 00 0a 51
Thumbprint: 90 b8 0f 70 1d d4 a3 e7 64 4f d6 0e 2d b0 98 ca 04 cb d1 45
Cryptographic protocol: TLS 1.2
Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
Cipher algorithm: AES
Cipher key length: 256
Hash algorithm: SHA384
Hash length: 384
Key exchange algorithm: ECDH_P256
Key length: 256
-----------------------------------------------------------------------------------------------------


Looking at the IIS log, it showed that the agent on the SMP is not passing any credentials, just trying to authenticate anonimously:
2019-06-10 17:02:58 10.26.169.179 HEAD /Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx shares=1&resourceGuid=c28e81a3-db55-4ab0-b95f-12796fe27e2a&crc=0008000500001099 443 - 10.26.169.179 - - 401 2 5 0
2019-06-10 17:02:58 10.26.169.179 HEAD /Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx shares=1&resourceGuid=c28e81a3-db55-4ab0-b95f-12796fe27e2a&crc=0008000500001099 443 - 10.26.169.179 - - 401 1 3221225581 0


but any other machine they tried anominously and then with the proper account:
2019-06-10 00:17:40 10.26.169.179 HEAD /Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx shares=1&resourceGuid=9a7a952d-c78b-4739-aefc-0a3ae3370146&crc=0008000500001099 443 - 10.20.70.77 - - 401 2 5 0
2019-06-10 00:17:40 10.26.169.179 HEAD /Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx shares=1&resourceGuid=9a7a952d-c78b-4739-aefc-0a3ae3370146&crc=0008000500001099 443 domain\svcaltagent2 10.20.70.77 - - 200 0 0 78
2019-06-10 00:17:40 10.26.169.179 POST /Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx shares=1&resourceGuid=9a7a952d-c78b-4739-aefc-0a3ae3370146&crc=0008000500001099 443 domain\svcaltagent2 10.20.70.77 - - 200 0 0 140

Operation 'Direct: Head' failed.
Protocol: HTTPS
Host: smpserver.domain.com:443
Path: /Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx
Connection Id: 1193.5980
Communication profile Id: {C94E6833-9E8F-4227-A8AE-A8D072547ABA}
Throttling: 0 0 0
Error type: HTTP error
Error code: HTTP status 401: The request requires user authentication (0x8FA10191)
Error note: Authentication failed, server refused to authenticate with provided credentials

Environment

ITMS 8.5

Cause

The customer is using ACC (Agent Connectivity Credentials) for connecting the agents. We noticed that the customer had 2 agent communication profiles for the SMP server: one with the server name (the default one created during initial installation) and one with the server alias. The alias communication profile was the one used by all the targeted agent policies.

There was a conflict between having 2 agent communication profiles for the same server.

Resolution

In order to address this issue:

  1. Use the default Notification Server Communication Profile under Settings>Agents/Plug-ins>Symantec Management Agent>Symantec Management Agent Communication profiles (meaning placing all the agent targeted policies to use this one). The default one is the one that has the little "altiris" yellow icon on it.

     
  2. Add the alias name used for your SMP into this default one rather than having another Agent Communication Profile for the same SMP.

Attachments