search cancel

Exception was caught during WS accept: Altiris.NS.Exceptions.NSComException (0x80076004): Client certificate is not valid


Article ID: 202353


Updated On:


IT Management Suite


The customer started noticing the following message on his NS logs after he upgraded to 8.5 RU2 but he doesn't see an issue yet. 
"Exception was caught during WS accept: Altiris.NS.Exceptions.NSComException (0x80076004): Client certificate is not valid, cert[], socket[(guid=4f431e2e-e06c-4b62-b57b-6b97d38439bd, addr=, by=(addr=, acceptor)), state=Open].
   at Altiris.NS.AgentManagement.Communication.Sockets.NSCEMWebAgentSocket..ctor(Guid agentGuid, IPEndPoint remote, WebSocketContext context, HttpListenerContext httpContext, IAgentSocket acceptor)
   at Altiris.NS.AgentManagement.Communication.Sockets.NSCEMWebAgentSocketFactory.CreateWebAgentSocket(Guid agent, IPEndPoint remote, HttpListenerWebSocketContext wsCtx, HttpListenerContext httpCtx, WebAgentSocket acceptor)
   at Symantec.WebSockets.WebAgentSocket.<AcceptStart>d__94`1.MoveNext()


ITMS 8.5 RU2 and later.


In this particular case, the message refers to someone wants to connect to the CEM web socket on the SMP but does not provide any certificate. No more info available.  The machine with IP Address in this example cannot connect over persistent connection.

These log entries just refer to machines that could have an obsolete/invalid certificate or just can't connect with a persistent connection (but still be able to connect with the standard way).

If client with specified address is the SMP own agent, check what is happening with CEM configuration, like the SMP is added as a CEM agent by mistake for example.

Now, if the IP address mentioned in the logs refers to the internal Internet Gateway addresses, that could indicate that computer not in the CEM policy is trying to use the Internet Gateway to connect.


Also, the following GUID in the message:

[(guid=bf7d363e-a6b7-4db2-bc5f-95acdc5bae81, addr=, by=(addr=, acceptor)), state=Open].

This is an internal socket id, not a computer GUID. At that point only the IP address is known since this is connection establishment validation.