Client machines are not able to register to an Internet Site Server: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331)
Article ID: 275112
Updated On:
Products
Issue/Introduction
The customer migrated to a new SMP server.
After migrating and upgrading, they noticed that any client machines couldn't register to their Internet Site Servers.
The agent logs showed the following entries:
Entry 1:
Operation 'CEM: Connect' failed.
Protocol: HTTPS
Original host: <siteserver>.example.net:443
Real host: <gatewayserver>.example.com:443
Path: /
Connection id: 612.4576
Communication profile id: {xxxxxxxx-2840-4D27-A86A-F12CFB2F92F3}
Throttling: 0 0 0
Error type: TLS Handshake error
Error code: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331)
Error note: Failed to create credentials object
-----------------------------------------------------------------------------------------------------
Date: 10/17/2023 2:30:02 AM, Tick Count: 73680328 (20:28:00.3280000), Size: 685 B
Process: AeXNSAgent.exe (4576), Thread ID: 16856, Module: AeXNetComms.dll
Priority: 1, Source: NetworkOperation
Entry 2:
Task Server Connection: Failed to request 'https://<siteserver>.example.net:443/Altiris/ClientTaskServer/Register.aspx?lastResort=true&resTypeGuid={493435F7-3B17-4C4C-B07F-C23E7AB7781F}&sysType=Win64&version=8.6.4289&resourceGuid=0181849a-8403-4d77-bbdc-251d1c75983a&crc=00080006000010C1', error: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331)
-----------------------------------------------------------------------------------------------------
Date: 10/17/2023 2:30:02 AM, Tick Count: 73680343 (20:28:00.3430000), Size: 635 B
Process: AeXNSAgent.exe (4576), Thread ID: 16856, Module: client task agent.dll
Priority: 2, Source: Client Task Agent
Entry 3:
Task Server Connection: Failed to register on Task Server '<siteserver>.example.net' over 'https', error: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331)
-----------------------------------------------------------------------------------------------------
Date: 10/17/2023 2:30:02 AM, Tick Count: 73680343 (20:28:00.3430000), Size: 444 B
Process: AeXNSAgent.exe (4576), Thread ID: 16856, Module: client task agent.dll
Priority: 2, Source: Client Task Agent
Environment
ITMS 8.x
Cause
After looking at this, we found out that:
1. the Site Server Communication Profile didn't have all the TLS version boxes checked, just TLS 1.0.
2. Currently client machines and Site Servers have TLS 1.1 and 1.2 enabled.
Resolution
Enable the proper TLS versions on the Site Server communication profile(s)
Try the following:
1. Under Settings > All Settings > Agent/Plug-ins > Symantec Management Agent > Symantec Management Agent Communication Profiles > Site Server Communication profiles
2. For each of the affected Internet Site Servers, check the boxes for all the TLS versions that are enabled on your environment. Save the communication profile
NOTE:
If that was checked, then try the following on each Internet Site Server:
Reference Microsoft article: https://technet.microsoft.com/en-us/library/dn786418.aspx
You will notice this article indicates that you need to create a registry key for TLS version 1.1 or/and 1.2 based upon your desired protocol. While the article also references TLS 1.0, errors are not experienced when using 1.0.
As per the linked Microsoft article, on your SMP server, open the registry and do the following:
- Create registry entry: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
- Create a new DWORD value of Enabled with a decimal value of 0.
- In a few circumstances this was found not to work. Upon further testing, it seems like the DWORD value should be: DisabledByDefault with a decimal value of 0.
- A server restart is required after making this change. After rebooting the SMP, clients should be able to connect without error.
To verify this you should reference the following registry key to make sure it exists:
- HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
REG_DWORD value of: DisabledByDefault with a value of 0
Or
You can use IIScrypto (Nartac Software - IIS Crypto) to enable the TLS versions desired.
3. Go to the Internet Gateways, open the gateway UI, and under the Servers tab re-add the Internet Site Servers to the Servers list
4. Let the client machines get a new configuration by connecting to the VPN.
After that, the client machines should register just fine when we switched back to CEM mode. Example of log entries:
Task Server Connection: Attempting to register on Task Server '<siteserver>.example.net' using 'https://<siteserver>.example.net:443/Altiris/ClientTaskServer/Register.aspx'
-----------------------------------------------------------------------------------------------------
Date: 10/17/2023 2:46:29 AM, Tick Count: 74667984 (20:44:27.9840000), Size: 406 B
Process: AeXNSAgent.exe (4576), Thread ID: 31472, Module: client task agent.dll
Priority: 4, Source: Client Task Agent
Task Server Connection: Successfully registered on Task Server '<siteserver>.example.net' over 'https'
-----------------------------------------------------------------------------------------------------
Date: 10/17/2023 2:49:01 AM, Tick Count: 74819843 (20:46:59.8430000), Size: 339 B
Process: AeXNSAgent.exe (4576), Thread ID: 31472, Module: client task agent.dll
Priority: 4, Source: Client Task Agent
Core: Successfully registered with Task Server '<siteserver>.example.net', tickle port: 50124
-----------------------------------------------------------------------------------------------------
Date: 10/17/2023 2:49:01 AM, Tick Count: 74819875 (20:46:59.8750000), Size: 330 B
Process: AeXNSAgent.exe (4576), Thread ID: 31472, Module: client task agent.dll
Priority: 4, Source: Client Task Agent
Feedback
