CEM Agents unable to register to NS after upgrade to 8.8.1 or later
search cancel

CEM Agents unable to register to NS after upgrade to 8.8.1 or later

book

Article ID: 442240

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Following the 8.8.1+ upgrade of ITMS and Internet Gateways, CEM clients are unable to connect to the Notification Server. Internal (non-CEM) agent connections remain unaffected.

The Internet Gateway Manager/s display an error when attempting to refresh the connection to the Notification Server:

'Failed to establish secured connection to the SMP server (DATE/TIME)'

Newly installed and existing CEM agents may display the following errors when attempting a connection to the NS:

Connection stage: Server SSL handshake
Error type: HTTP error
Error code: HTTP status 403: The client does not have sufficient access rights (0x8FA10193)
Error note: 403 Forbidden

Environment

ITMS 8.8.1+

Cloud Enabled Management

Cause

In at least one observance of the issue, it was discovered that IIS wasn't updated or configured properly for changes made in ITMS 8.8.1

Starting with 8.8.1 the CEM authentication process is controlled by an IIS extension module.

IIS settings for certificates were either manually changed back after the 8.8.1 upgrade, or the upgrade failed to make the needed change.

Resolution

The following settings should only be configured and verified for versions 8.8.1 and later. For earlier versions, these instructions are not applicable:

  1. Open IIS on the Notification Server with an administrator user
  2. Expand the server name > Sites > Symantec Agent > Altiris > NS > Agent
  3. For the 'Agent' site, double-click 'SSL Settings' in the middle pane
  4. 'Require SSL' should be checked/enabled and 'Client certificates:' should be set to 'Ignore'
  5. With the 'Agent' site still selected, switch to 'Content View' in the right pane
  6. In 'Content View', select 'GetClientCertificate.aspx' then click 'Switch to Features View' on the far right pane
  7. With 'GetClientCertificate.aspx' selected in the left connections pane, double click SSL settings in the middle pane and verify that 'Require SSL' is enabled and 'Client certificates' is set to 'Ignore'
  8. Repeat these steps with 'GetServerCertificate.aspx' to verify it is also set to 'Require SSL' and 'Ignore' Client certificates

Powered by Wolken Software