Automation Agent Boots into Automation Environment and Nothing Happens. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider (0x800B0109)
Article ID: 233999
Updated On:
Products
Issue/Introduction
When a remote computer is booted up into an automation environment, everything seems to be working but the agent just sits there never running any of the initial deployment jobs. The first thing to review would the SMP.log file in the automation environment:
Reviewing automation agent SMP.log file shows a little more detail on the HTTPS connection as follows:
<event date='01/04/2022 12:31:36.5450000 -08:00' severity='8' hostName='<COMPNAME>' source='NetworkOperation' module='AeXNetComms.dll' process='PECTAgent.exe' pid='1236' thread='1232' tickCount='64859' >
<![CDATA[Operation 'Direct: Connect' failed.
Protocol: HTTPS
Host: :443
Path: /
Connection Id: 10.1236
Communication profile Id: {<Comm Profile ID Value>}
Throttling: 1 50 0
Error type: TLS Handshake error
Error code: A certificate chain processed, but terminated in a root certificate that is not trusted by the trust provider (0x800B0109)
Error note: '.org' server's certificate is not valid, the error was in element 2 of simple chain 0 (1 simple chains in total)
Server HTTPS connection info:
Server certificate:
Serial number: Serial Number Here
Thumbprint: Thumbprint here
Cryptographic protocol: TLS 1.2
Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Cipher algorithm: AES
Cipher key length: 256
Hash algorithm: SHA384
Hash length: 384
Key exchange algorithm: ECDH
Key length: 256]]>
</event>
This issue may arise after updating the NS Website certificate on the SMP server. The PFX file, 'SSLCertificate_NS_80.pfx', located in: \Program Files\Altiris\Notification Server\NSCap\Bin\Deployment\Certificates, has an old date. This date does not match up with the date of your NS Website Certificate after running the policy on the SMP server called "Installs the Extract SSL Certificate(x64)".
There is a policy on the SMP server called "Installs the Extract SSL Certificate(x64)", which is located at Settings\Agents/Plug-ins\Deployment\Windows (x64). This software release is located on the SMP server at \Altiris\Notification Server\NSCap\bin\Deployment\Installs\Certificate\x64 and runs the command line 'DSPluginInstall64.exe exportcert'. That command line will execute the VB script IISCertDeploy64, located in that same directory. This will create two log files on the root of the C drive, called IISCertDeployVBS.txt and DSPluginInstall.log. This policy will extract the NS Website Certificate to make it ready for automation agents communicating over HTTPS.
IISCertDeployVBS.txt shows:
###Creating virtual directory 'DeploymentCerts'
Checking for Altiris Web Site...
Reading Registry Keys...
CreateCertSite: strCertSitePath = F:\Program Files\Altiris
Notification Server\NSCap\bin\Deployment\Certificates
GetAltirisSite: NsWebSite from registry is 'Default Web Site'
the operation completed with error Error=0x8004100E
Error: Failed to create oWebAdmin
DSPluginInstall.log shows: DSExportCert:: Child Process returned error=-2147217394
Researching these errors, it looks like something about WMI is damaged. However, when you test WMI on the computer, you notice that everything seems to be in working order.
Environment
Deployment Solution 8.x
Client Management Suite 8.x
Cause
PFX file SSLCertificate_NS_80.pfx located in \Altiris\Notification Server\NSCap\Bin\Deployment\Certificates has a much older date than the NS Website Certificate you may have recently replaced.
Resolution
You can use the following VBS script to check if the issue is present on the SMP server. For convenience, the script is also attached to this article.
On Error Resume Next
Dim oWebAdmin
Set oWebAdmin = GetObject("winmgmts:root\WebAdministration")
If IsEmpty( oWebAdmin ) Or IsNull( oWebAdmin ) Or Err.Number <> 0 Then
WScript.Echo("Failed to get 'winmgmts:root\WebAdministration' object" )
If Len(Trim(Err.Description))>0 Then
WScript.Echo(" Error=" & Trim(Err.Description) )
End If
If Err.Number <> 0 Then
WScript.Echo(" Error=0x" & Hex(Err.Number) )
End If
Else
WScript.Echo("Successfully got 'winmgmts:root\WebAdministration' object" )
End IfSave the script to a location of your choosing and open an elevated command prompt. Run the script as follows: cscript //nologo <pat_to_the_script.vbs>
If everything is working correctly, it will look like this and say "Successfully got 'winmgmts:root\WebAdministration' object.
If it fails, you have this issue and it would seem as if the IIS-ManagementScriptingTools is broken.
To resolve this issue you would need to use the roles and feature UI to uninstall IIS Management Scripts and Tools, reboot the SMP, and install it again. You can then run the script to see if it returns a success. If so, you can now run the policy Installs the Extract SSL Certificate(x64) and you should witness the PFX file located in: \Altiris\Notification Server\NSCap\Bin\Deployment\Certificates date has changed. At this point, you will want to recreate your preboot environments.
Attachments
Feedback
