Failed to handle action: 'Authenticate'. Client certificate is not valid.
search cancel

Failed to handle action: 'Authenticate'. Client certificate is not valid.

book

Article ID: 379603

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Log warning entries like the following are seen in the NS logs (c:\programdata\symantec\smp\logs):

Entry 1:

Certificate worker call rejected from: 192.168.x.xxx:52866, certificate is not trusted
-----------------------------------------------------------------------------------------------------
Date: 10/4/2024 8:54:55 AM, Tick Count: 64176781 (17:49:36.7810000), Size: 311 B
Process: AeXSvc (8436), Thread ID: 59, Module: Altiris.NS.dll
Priority: 2, Source: AgentCertificateDistributer


Entry 2:

Failed to handle action: 'Authenticate' (xxxxxxx-79b0-423e-bb27-xxxxxxxxxx), act-id=xxxxxxx-ab60-4467-b6ee-xxxxxxx, plugin=0x0, data=byte[272], params=3,
 from: agent=00000000-0000-0000-0000-000000000000, auth=False, addr=192.168.x.xxx:52866 (Opened), conn-id=xxxxxx-83f2-4bf7-95a0-xxxxxxx, age=00:00:00.0780996,
 to: Altiris.NS.StandardItems.AgentManagement.Communication.Handlers.AgentActionAuthenticationHandler,
 total errors: 123,051 (4 e/s)

One or more errors occurred.
   [AggregateException]

Client certificate is not valid, cert[xxxxxxxxxxE9808EA400EA6F7FB71910 : xxxxxxxxxxxx39B2E3F7439DF35156E01CAFD], connection[agent=00000000-0000-0000-0000-000000000000, auth=False, addr=192.168.x.xxx:52866 (Opened), conn-id=xxxxxx-83f2-4bf7-95a0-xxxxxxxx, age=00:00:00.0780996].
   [NSComException @ Altiris.NS.dll]
   at Altiris.NS.AgentManagement.Communication.Handlers.NSAgentActionHandler<>.ValidateCEM(INSAgentConnection, IAgentAction<T>)
   at System.Threading.Tasks.ContinuationResultTaskFromTask<>.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task)
   at Altiris.NS.AgentManagement.Communication.Handlers.Altiris.NS.AgentManagement.Communication.Handlers.NSAgentActionHandler<>+<Validate>d__10<>.MoveNext()

COM Exception errcode: 0x80076004

Exception logged from:
   at Altiris.Diagnostics.Logging.EventLog.ReportException(int, string, string, Exception, string)
   at Altiris.NS.AgentManagement.Communication.Handlers.NSAgentActionHandler<>.HandleException(IAgentConnection, IAgentAction, Exception)
   at System.Threading.Tasks.ContinuationResultTaskFromTask<>.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext, ContextCallback, object, bool)
   at System.Threading.ExecutionContext.Run(ExecutionContext, ContextCallback, object, bool)
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(ref Task)
   at System.Threading.Tasks.Task.ExecuteEntry(bool)
   at System.Threading.ThreadPoolWorkQueue.Dispatch()

-----------------------------------------------------------------------------------------------------
Date: 10/4/2024 8:54:55 AM, Tick Count: 64176781 (17:49:36.7810000), Size: 2.46 KB
Process: AeXSvc (8436), Thread ID: 59, Module: Altiris.NS.dll
Priority: 2, Source: NSAgentActionHandler.HandleException

Entry 3:

Failed validation of certificate by request: '192.168.x.xxx' (serial: xxxxxxxxxxx13E35295DCB6DC2467CD719, thumbprint: xxxxxxxxxxD413E35295DCB6DC2467CD719): 
 Thumbprint 'xxxxxxxxxxx48D413E35295DCB6DC2467CD719' Serial 'xxxxxxxxxxxx8291A9A8D1E2A1A3A5D6202' Issuer 'CN=SMPSERVER.Example.com Agent CA' Subject 'CN=ComputABC.example.com'

Message logged from:
   at Altiris.Diagnostics.Logging.EventLog.ReportException(int, string, string, Exception, string)
   at Altiris.NS.AgentManagement.AgentCertificateDistributer.ReportFailedCertificateValidation(object, X509Certificate2, int, int)
   at Altiris.NS.Logging.ThrottledLogAction<,>.Execute(T, TK, int)
   at Altiris.NS.AgentManagement.AgentCertificateDistributer.ValidateIncomingRequest(HttpRequestData, bool, bool, Guid, out AgentRequestType, out Guid, out bool)
   at Altiris.NS.AgentManagement.AgentCertificateDistributer.ValidateCertificateForWorkerCall(HttpRequestData, out Guid)
   at Altiris.NS.WebHandlers.AltirisHttpHandlerBase<>.ValidateRequestValues(HttpContext, T)
   at Altiris.Web.NS.Agent.PostEventHandler.ValidateRequestValues(HttpContext, PostEventHandlerData)
   at Altiris.NS.WebHandlers.AltirisHttpHandlerBase<>.ProcessRequest(HttpContext, T, int)
   at Altiris.NS.WebHandlers.AltirisHttpHandlerBase<>.ProcessRequest(HttpContext)
   at System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep, ref bool)
   at System.Web.HttpApplication+PipelineStepManager.ResumeSteps(Exception)
   at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext, AsyncCallback)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest, HttpContext)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, int)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, int)

HTTP [POST]: https://smpserver.example.com:4726/altiris/NS/Agent/PostEvent.asp?encrypted=1&priority=0&source=xxxxxxx-A793-443B-BB33-xxxxxxxx
 ip: [192.168.x.xxx]; x-sma-version: [8.7.3391.0]; content-length: [2465];
 timings: [[W] 00:00:00.0163581];
 response: [200 OK]; x-smp-nsversion: [8.7.3391.0];
-----------------------------------------------------------------------------------------------------
Date: 10/4/2024 8:54:22 AM, Tick Count: 64144140 (17:49:04.1400000), Size: 2.64 KB
Process: w3wp (5936), Thread ID: 303, Module: Altiris.NS.dll
Priority: 2, Source: AgentCertificateDistributer

In the SMP Console the Certificate Management page also shows the "untrusted certificate" status as seen here:

Settings>All Settings>Notification Server>Certificate Management

Environment

ITMS 8.7.x

Cause

Computers were migrated from one SMP Server to another. Primary certificates needed to be renewed/signed with the currently in use Agent CA certificate.

Resolution

"Renew" its certificate (since it was one of the client machines that were migrated from their old SMP Server to their new SMP Server):

"How to replace, renew, and revoke certificates in ITMS 8.x" KB 204333)

  • Under Certificate Management, change the "View" from "Notification Server" to "Cloud-enabled Agents"
  • Search for the affected machine. Change the "Status" from "All" to "CEM certificates not trusted by NS" .
  • Select the computer(s) and right-click on it(them) and click on "Renew" and follow the prompts.

You should see in the NS logs that the "replace" process (Replacement in progress) has started:

"Renew certificates task xxxxxxxxxx started"

and just wait for the affected client machines to receive the task to renew its certificate. Overtime, those warnings should stop for happening as the renewal process is done.

Additional Information

"How to replace, renew, and revoke certificates in ITMS 8.x" KB 204333)

"Unable to connect via CEM mode after migrating to a new SMP Server when same server hostname/fqdn was kept" (KB 275066)

"Unable to add SMP Server to CEM Gateway after offbox migration and SMP Agent CA certificate move" (KB 163325)

Powered by Wolken Software