Unable to open the Software Portal while in CEM mode
search cancel

Unable to open the Software Portal while in CEM mode

book

Article ID: 277396

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

When trying to open the Software Portal page (from the agent system tray icon >right-click>Software Portal)

while in CEM (Cloud-enabled Management) mode, the following error message appears in the internet browser:

This page isn't working
127.0.0.1 didn't send any data.
ERR_EMPTY_RESPONSE

The link is trying to access is something like this:

"http://127.0.0.1:59100/altiris/softwareportal/portal/?MachineGuid={xxxxxxxx-8D45-454B-xxxx-5C2xxxxxx21B}&MachineName=Laptop-64x12345&Platform=Win64"

The agent logs shows entries like these:

Entry 1:

[26:OUT_LOC: 1114 -> 804, RECV: B4899425] SSL: Renegotiation is not supported, please check IIS binding's SSL parameters
-----------------------------------------------------------------------------------------------------
Date: 12/10/2023 5:02:21 PM, Tick Count: 282084203 (3.06:21:24.2030000), Size: 359 B
Process: AeXNSAgent.exe (3440), Thread ID: 17992, Module: AeXNetComms.dll
Priority: 1, Source: SMAIO.SSLProxy.Socket

 

Entry 2:

[26:OUT_LOC: 1114 -> 804, RECV: B4899425] Failed to decrypt SSL payload, error: The request is not supported (0x00000032)
-----------------------------------------------------------------------------------------------------
Date: 12/10/2023 5:02:21 PM, Tick Count: 282084218 (3.06:21:24.2180000), Size: 360 B
Process: AeXNSAgent.exe (3440), Thread ID: 17992, Module: AeXNetComms.dll
Priority: 1, Source: SMAIO.SSLProxy.Socket

Environment

ITMS 8.6, 8.7

Cause

Wrong setting for port binding 4726 on the SMP Server. The following setting was set to "disabled" when we expected it to be "Enabled":

Negotiate Client Certificate : Disabled

Resolution

In order to validate if it is the same issue: do the following:

  1. Open a command prompt as Administrator on the SMP Server and run the following command:

    netsh http show sslcert

    This command will dump existing bindings information. Find the port that represents desired binding. In this case port 4726.

    NOTE: Save the port, application ID (certificate reference), and certificate hash (certificate thumbprint) information somewhere (it will be required later).



    It should return something like this:

    IP:port                      : 0.0.0.0:443

        Certificate Hash             : xxxxxxxxx44d69938e2e90d6d

        Application ID               : {xxxxxxxxx-b022-59fc669b0914}

        Certificate Store Name       : My

        Verify Client Certificate Revocation : Enabled

        Verify Revocation Using Cached Client Certificate Only : Disabled

        Usage Check                  : Enabled

        Revocation Freshness Time    : 0

        URL Retrieval Timeout        : 0

        Ctl Identifier               : (null)

        Ctl Store Name               : (null)

        DS Mapper Usage              : Disabled

        Negotiate Client Certificate : Disabled

        Reject Connections           : Disabled

        Disable HTTP2                : Not Set

        Disable QUIC                 : Not Set

        Disable TLS1.2               : Not Set

        Disable TLS1.3               : Not Set

        Disable OCSP Stapling        : Not Set

        Disable Legacy TLS Versions  : Not Set

     

        IP:port                      : 0.0.0.0:4726

        Certificate Hash             : xxxxxxxxx44d69938e2e90d6d

        Application ID               : {xxxxxxxxx-b022-59fc669b0914}

        Certificate Store Name       : My

        Verify Client Certificate Revocation : Enabled

        Verify Revocation Using Cached Client Certificate Only : Disabled

        Usage Check                  : Enabled

        Revocation Freshness Time    : 0

        URL Retrieval Timeout        : 0

        Ctl Identifier               : (null)

        Ctl Store Name               : (null)

        DS Mapper Usage              : Disabled

        Negotiate Client Certificate : Disabled

        Reject Connections           : Disabled

        Disable HTTP2                : Not Set

        Disable QUIC                 : Not Set

        Disable TLS1.2               : Not Set

        Disable TLS1.3               : Not Set

        Disable OCSP Stapling        : Not Set

        Disable Legacy TLS Versions  : Not Set

  2.  Remove the existing binding for port 4726 configuration, e.g.:

    netsh http delete sslcert ipport=0.0.0.0:4726

  3. Remove the existing binding for port 4726 configuration, but we want to set "Negotiate Client Certificate" as "Enabled". In order to do so, you need to set "clientcertnegotiation" attribute to "enable". e.g.:

    netsh http add sslcert ipport=0.0.0.0:4726 certhash=xxxxxxxxx44d69938e2e90d6d appid={xxxxxxxxx-b022-59fc669b0914} sslctlstorename=ClientAuthIssuer clientcertnegotiation=enable


    Important note! The "ipport", "certhash" and "appid" must be set to values obtained at step 1. If you are re-using the same certificate, the certhash will be the same. If you are replacing the certificate, please import the new certificate, then copy the certhash and use that when you are rebinding the certificate at the command line. The appid will be the same one that you gathered earlier.

    See:
    https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-http

  4. Try again to open the Software Portal page while connected in CEM Mode. It should load as expected.

     

 

Powered by Wolken Software