Failing to register to a task server due to multiple agent communication profiles for the same SMP server
Article ID: 175117
Updated On:
Products
Issue/Introduction
The main issue is that the SMP can't register to a Task Server.
When looking at the issue and the NS logs showed the following (after enabling Task verbosity logging):
Entry 1
It shows that we are trying to reach the registration page:
CTaskServerNetCommsConnection:
------------------------------
Entry 2:
Calling NS server endpoint 'https://smpserver.yourdomain.com:443/Alt
------------------------------
Entry 3:
However, we failed to authenticate with the provided credentials:
Operation 'Direct: Head' failed.
Protocol: HTTPS
Host: smpserver.yourdomain.com:443
Path: /Altiris/TaskManagement/CTAgen
Connection Id: 1193.5980
Communication profile Id: {C94E6833-9E8F-4227-A8AE-A8D07
Throttling: 0 0 0
Error type: HTTP error
Error code: HTTP status 401: The request requires user authentication (0x8FA10191)
Error note: Authentication failed, server refused to authenticate with provided credentials
Server HTTPS connection info:
Server certificate:
Serial number: 13 00 00 0a 51 32 14 16 c9 fe 8a 02 be 00 00 00 00 0a 51
Thumbprint: 90 b8 0f 70 1d d4 a3 e7 64 4f d6 0e 2d b0 98 ca 04 cb d1 45
Cryptographic protocol: TLS 1.2
Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC
Cipher algorithm: AES
Cipher key length: 256
Hash algorithm: SHA384
Hash length: 384
Key exchange algorithm: ECDH_P256
Key length: 256
------------------------------
Looking at the IIS log, it showed that the agent on the SMP is not passing any credentials, just trying to authenticate anonimously:
2019-06-10 17:02:58 <IP Address> HEAD /Altiris/TaskManagement/CTAgen
2019-06-10 17:02:58 <IP Address> HEAD /Altiris/TaskManagement/CTAgen
but any other machine they tried anonymously and then with the proper account:
2019-06-10 00:17:40 <IP Address> HEAD /Altiris/TaskManagement/CTAgen
2019-06-10 00:17:40 <IP Address> HEAD /Altiris/TaskManagement/CTAgen
2019-06-10 00:17:40 <IP Address> POST /Altiris/TaskManagement/CTAgen
Operation 'Direct: Head' failed.
Protocol: HTTPS
Host: smpserver.yourdomain.com:443
Path: /Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx
Connection Id: 1193.5980
Communication profile Id: {C94E6833-9E8F-4227-A8AE-A8D072547ABA}
Throttling: 0 0 0
Error type: HTTP error
Error code: HTTP status 401: The request requires user authentication (0x8FA10191)
Error note: Authentication failed, server refused to authenticate with provided credentials
Environment
ITMS 8.5
Cause
The customer is using ACC (Agent Connectivity Credentials) for connecting the agents. We noticed that the customer had two agent communication profiles for the SMP server: one with the server name (the default one created during initial installation) and one with the server alias. The alias communication profile was the one used by all the targeted agent policies.
There was a conflict between having two agent communication profiles for the same server.
Resolution
In order to address this issue:
- Use the default Notification Server Communication Profile under Settings>Agents/Plug-ins>Symantec Management Agent>Symantec Management Agent Communication profiles (meaning placing all the agent targeted policies to use this one). The default one is the one that has the little "altiris" yellow icon on it.
- Add the alias name used for your SMP into this default one rather than having another Agent Communication Profile for the same SMP.
Feedback
