Task Server Connection: Failed to register on Task Server over 'https', error: HTTP status 403: The client does not have sufficient access rights (0x8FA10193)

book

Article ID: 224632

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

You may notice that when an endpoint in your environment attempts to register to a site server, with task services installed, it is unable to do so over HTTPS (SSL).  However, if the communication profile in your environment allows for it, HTTP registration works without a problem.  You would also notice that the endpoints are registering over HTTP and not HTTPS. When you proactively research the issue and examine the agent logs located by default at C:\ProgramData\Symantec\Symantec Agent\Logs, you notice the following errors:

Warning:

Task Server Connection: Failed to register on Task Server 'NameOfTaskServer.FQDN' over 'https', error: HTTP status 403: The client does not have sufficient access rights (0x8FA10193)

Error:

<event date='09/21/2021 14:24:44.7270000 -04:00' severity='1' hostName='' source='NetworkOperation' module='AeXNetComms.dll' process='AeXNSAgent.exe' pid='13864' thread='6156' tickCount='1569421' >
  <![CDATA[Operation 'Direct: Head' failed. 
Protocol: HTTPS 
Host: :443 
Path: /Altiris/ClientTaskServer/Register.aspx 
Connection Id: 86.13864 
Communication profile Id: {AFF435B6-414B-4BD0-9230-1F2DFBBA6BE9} 
Throttling: 0 0 0 
Error type: HTTP error 
Error code: HTTP status 403: The client does not have sufficient access rights (0x8FA10193) 
Error note: Empty response content received 
Server HTTPS connection info: 
   Server certificate: 
      Serial number: 6 4b f2 e9 3b e8 50 39 6d 25 
      Thumbprint: 41 58 da 22 54 
   Cryptographic protocol: TLS 1.2 
   Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
   Cipher algorithm: AES 
   Cipher key length: 256 
   Hash algorithm:  
   Hash length: 0 
   Key exchange algorithm: ECDH 
   Key length: 384]]>
</event>

 

Cause

The root cause at this time is unknown.  It could be possible that there were some TLS changes, which then caused the IIS HTTPS 443 binding to become corrupted.  In this particular case, we noticed that none of the TLS protocols were specified in the registry of the site server.  This is not necessarily a problem and is just one item we noticed during the troubleshooting of this error.

Environment

Release: 8.6

Component:  Task Server

Resolution

In this situation, we simply removed the HTTPS Port 443 binding on the site server, with task services installed, and then added it back.  Reset IIS and clients were immediately able to register over HTTPS.  It is important to verify that the certificates being used are set up correctly.  In this case, everything with certificates was OK and checked out.

To remove and add the bindings in IIS simply open IIS Manager and navigate down to the Default Web site.

On the right-hand side, click on Bindings.

Highlight the binding for HTTPS and choose remove.

Now click on Add, choose HTTPS, which will default to port 443.  Select the proper certificate and hit ok.

From an elevated command prompt, type in iisreset.