The customer is trying to run their "Initial Deployment" job to a set of new machines. However, it is not succeeding.
The NS logs shows:
Consider the following sequence of steps, which the customer has attempted multiple times with identical results (and the same GUID for the Computer object every time):
It was also noticed that the agent communication profile is showing an issue with the "root certificate which is not trusted by the trust provider" on port 443, but it does fall back to port 80 successfully.
DS 8.5 RU3
The SMP Server tries to redirect resource creation call to NS web. Since the initial call to DS web service was performed over HTTPs, call to NS is also a HTTPs call. That one fails with error "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel".
The problem was related to the server name used in call and in NS web certificate, which caused "Certificate name mismatch".
In order to narrow down if there is an issue with the certificate in use, please refer to the following:
1. Try the script from this Stack Overflow post for enabling .NET network tracing and substitute the relevant WebRequest call:
$id = [Environment]::TickCount;
$fileName = "${PSScriptRoot}\Powershell_log_${id}.txt"
$listener1 = New-Object "System.Diagnostics.TextWriterTraceListener" @($fileName, "text_listener")
$listener2 = New-Object "System.Diagnostics.ConsoleTraceListener"
$listener2.Name = "console_listener"
[System.Diagnostics.Trace]::AutoFlush = $true
[System.Diagnostics.Trace]::Listeners.Add($listener1) | out-null
[System.Diagnostics.Trace]::Listeners.Add($listener2) | out-null
# Use reflection to enable and hook up the TraceSource
$logging = [System.Net.Sockets.Socket].Assembly.GetType("System.Net.Logging")
$flags = [System.Reflection.BindingFlags]::NonPublic -bor [System.Reflection.BindingFlags]::Static
$logging.GetField("s_LoggingEnabled", $flags).SetValue($null, $true)
$webTracing = $logging.GetProperty("Web", $flags);
$webTraceSource = [System.Diagnostics.Tracesource]$webTracing.GetValue($null, $null);
$webTraceSource.Switch.Level = [System.Diagnostics.SourceLevels]::Information
$webTracesource.Listeners.Add($listener1) | out-null
$webTracesource.Listeners.Add($listener2) | out-null
[System.Diagnostics.Trace]::TraceInformation("About to do net stuff");
$wr = [System.Net.WebRequest]::Create("https://ns.ad.example.com:443/Altiris/NS/Agent/CreateResource.aspx")
$response = $wr.GetResponse()
[System.Diagnostics.Trace]::TraceInformation("Finished doing net stuff");
#get rid of the listeners
[System.Diagnostics.Trace]::Listeners.Clear();
$webTraceSource.Listeners.Clear();
$listener1.Dispose();
$listener2.Dispose();
2. The resulting logfile should identify the exact problem:
System.Net Information: 0 : [12808] SecureChannel#20268497 - Remote certificate has errors:
System.Net Information: 0 : [12808] SecureChannel#20268497 - Certificate name mismatch.
System.Net Information: 0 : [12808] SecureChannel#20268497 - Remote certificate was verified as invalid by the user.
System.Net Error: 0 : [12808] Exception in HttpWebRequest#47759218:: - The underlying connection was closed: Could not
establish trust relationship for the SSL/TLS secure channel..
The customer issued a Notification Server web certificate in September 2019 with a Common Name itms.example.com and two Subject Alternative Names: itms.example.com and ns.example.com.
Then, the customer issued and installed a new certificate with three SANs: itms.example.com, ns.example.com (like before), plus ns.ad.example.com (which is named in the URL). With this information, the customer added all thee SANs names to his agent communication profile.