While the customer is trying to setup Proxy Settings (under Settings > Notification Server > Notification Server Settings > Proxy tab), they receive the following error entry in the NS logs when testing the proxy settings:

Failed to access URL http://WWW.SYMANTEC.COM

The underlying connection was closed: An unexpected error occurred on a receive.
   [System.Net.WebException @ System]
   at System.Net.HttpWebRequest.GetResponse()
   at Altiris.NS.UI.cfgProxySettings.TestProxy()

The client and server cannot communicate, because they do not possess a common
algorithm 

They are calling their proxy server with something like this:
http://corpproxy.example.com:8080

No SSL is involved in trying to connect to their proxy as far as the address goes.

However, when using the same settings to configure a Proxy Server in Symantec Installation Manager (SIM), it works just fine.

When reviewing the Event logs, we were able to see many messages like the following, referring to issues with TLS configuration:

Log Name:      System
Source:        Schannel
Date:          7/11/2019 1:40:01 PM
Event ID:      36871
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Description:
A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
    <EventID>36871</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2019-07-11T18:40:01.296118100Z" />
    <EventRecordID>155421</EventRecordID>
    <Correlation ActivityID="{840FC3BE-306C-0000-CCC3-0F846C30D501}" />
    <Execution ProcessID="848" ThreadID="22648" />
    <Channel>System</Channel>
    <Computer>systemwv.example.com</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="Type">client</Data>
    <Data Name="ErrorState">10013</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        LogicBase.ServerExtensions.exe
Date:          7/11/2019 1:33:01 PM
Event ID:      0
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Description:
System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
   ....
    <Data>System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---&gt; System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
  ....

Failed to access URL http://www.symantec.com

The underlying connection was closed: An unexpected error occurred on a receive.
   [System.Net.WebException @ System]
   at System.Net.HttpWebRequest.GetResponse()
   at Altiris.NS.UI.cfgProxySettings.TestProxy()

The client and server cannot communicate, because they do not possess a common algorithm
   [System.ComponentModel.Win32Exception @ System]
   at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
   at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
   at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
   at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
   at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)

Exception logged from:
   at Altiris.NS.UI.cfgProxySettings.TestProxy()
   at Altiris.NS.UI.cfgProxySettings.ProxySettingsHandler(Altiris.NS.UI.cfgProxySettings+eProxySettingsAction)
   at Altiris.NS.UI.cfgProxySettings.ApplyClick()
   at Altiris.NS.UI.cfgProxySettings.Page_Load(Object, EventArgs)
   at System.Web.UI.Control.OnLoad(EventArgs)
   at Altiris.NS.UI.Controls.PageCachePage.OnLoad(EventArgs)
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Page.ProcessRequestMain(Boolean, Boolean)
   at System.Web.UI.Page.ProcessRequest(Boolean, Boolean)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(System.Web.HttpContext)
   at Altiris.NS.UI.Controls.PageCachePage.ProcessRequest(System.Web.HttpContext)
   at Altiris.NS.UI.AltirisPage.ProcessRequest(System.Web.HttpContext)
   at System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(System.Web.HttpApplication+IExecutionStep)
   at System.Web.HttpApplication.ExecuteStep(System.Web.HttpApplication+IExecutionStep, Boolean&)
   at System.Web.HttpApplication+PipelineStepManager.ResumeSteps(Exception)
   at System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, AsyncCallback)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)
   at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr, System.Web.RequestNotificationStatus&)
   at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr, System.Web.RequestNotificationStatus&)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)

HTTP [POST]: https://MySMPserver.example.com/Altiris/NS/Admin/Configuration/cfgProxySettings.aspx
 ip: [10.16.144.155]; languages: [en-US]; content-length: [7259];
 response: [200 OK]; x-smp-nsversion: [8.5.4249.0];

-----------------------------------------------------------------------------------------------------
Date: 7/11/2019 12:30:50 PM, Tick Count: 839180437 (9.17:06:20.4370000), Size: 4.55 KB
Process: w3wp (35440), Thread ID: 385, Module: Altiris.Web.NS.dll
Priority: 1, Source: Altiris.NS.UI.cfgProxySettings.TestProxy
 

• ITMS
  • 8.5 RU2

TLS misconfiguration on their environment. The customer was trying to enforce just TLS 1.2. TLS 1.0 was disabled, but there were problems with having TLS 1.1 enabled.

The errors in the Notification Server (NS) logs while trying to setup Proxy Settings referred to issues with TLS:

The client and server cannot communicate, because they do not possess a common algorithm

In this particular instance, disabling TLS 1.1 across all Site Servers and the SMP resolved the issue.

See the following page (or research Microsoft site) as a reference of how to disable TLS 1.1:

https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

TLS 1.1

This subkey controls the use of TLS 1.1.

For TLS 1.1 default settings, see Protocols in the TLS/SSL (Schannel SSP).

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

To enable the TLS 1.1 protocol, create an Enabled entry in either the Client or Server subkey as described in the following table. This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to 1.

TLS 1.1 subkey table

To disable TLS 1.1 for client or server, change the Enabled DWORD value to 0. If an SSPI app requests to use TLS 1.1, it will be denied.

To disable TLS 1.1 by default, create a DisabledByDefault entry and change the DWORD value to 1. If an SSPI app explicitly requests to use TLS 1.1, it may be negotiated.