Altiris Agent Task Client is unable to register with the Task Server. The following error shows up in the Agent log files:
Post to 'http://<server>/Altiris/ClientTaskServer/Register.aspx?resourceGuid=665fa4f6-59c5-4469-bb27-ee858859a7d3&lastResort=true' failed: HTTP error: 401 Unauthorized (-2147209951)
Verbose agent log files contain entries similar to the following:
HTTP/1.1 401 Unauthorized Connection: close
Date: Mon, 15 Jun 16:39:08 GMT
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Cache-Control: private
Content-Type: text/html;
charset=utf-8
Content-Length: 1861
This error can cause the Altiris Service and ACC accounts to lock out.
IIS anonymous authentication is either not enabled for the task server virtual directories, or the web server is being prevented from servicing anonymous requests by a user right option.
Note: Starting with the ITMS 8.1 release, Anonymous Authentication is set to disable under IIS Manager>Default Web site>Altiris>ClientTaskServer. We are expecting to authenticate to this directory.
The following two Microsoft tools (obtained as single downloads or from the IIS Resource Kit) can be used to determine where the problem lies within IIS:
AuthDiag and WFetch
In order for a web server to service anonymous requests, the IUSR account needs to be assigned the “Allow log on locally” user right (http://msdn.microsoft.com/en-us/library/ms955939.aspx). By default it has this right, however, it can be removed from this right either via the servers Local Security Policy or from a GPO.
Agent Connectivity Credential is locked out.
Possible solutions to this problem.
Solution 1: Enable Anonymous access
The easiest resolution for this problem is to allow the IIS anonymous user access to the ClientTaskServer and TaskManagement web sites in IIS. To do this follow these steps
When the client machines try to hit the register.aspx or any other task .aspx files they should authenticate as the anonymous user now. (If the logged on user does not have NT rights)
Note: Starting with the ITMS 8.1 release, Anonymous Authentication is set to disable under IIS Manager>Default Web site>Altiris>ClientTaskServer. We are expecting to authenticate to this directory.
Solution 2: Use Agent Connectivity Credentials - Specified user
This method will allow you to specify a user that is easy to manage the privileges on with out the risk of breaking other components that rely on the anonymous IIS user
The agent should now authenticate as the specified user to the .aspx pages. This can be verified by viewing the IIS logs on the server.
Solution 3: Use Agent Connectivity Credentials - Application Credentials
This is the default setup after installation. Generally if there are problems you will need to troubleshoot why this does not work or pick another solution.
To configure the agent to use the application credentials
The agents will now access the .aspx pages using the application credentials.
Solution 4: If this is being caused by a user right issue
Have the IUSR account added back to the “Allow log on locally” user right.
Solution 5: ACC Lockout
Make sure the Agent Connectivity Account is not locked out.