New client machines can't register when only TLS 1.2 is enabled on the SMP server. COM error: An existing connection was forcibly closed by the remote host (0x80072746)
Article ID: 172933
Updated On:
Products
Issue/Introduction
Some client machines can't make a connection to the SMP server to register, get a new configuration, or send basic inventory.
Agent logs showed the following entries (from oldest to newest):
Request 'HTTPS://SMPserver.domain.com/Altiris/NS/Agent/CreateResou
Configure Server Mode: Failed to obtain the machine resource GUID, error: An existing connection was forcibly closed by the remote host (0x80072746)
Failed to register agent. Registration status 'Not registered'. Next retry in 60 min.
Failed to send basic inventory, COM error: Cannot send event, the computer has not been registered on the server (0x80042B01)
Next basic inventory update will be sent to server SMPserver.domain.com at 2018-11-02 08:51:36, in 3 minutes
Calling NS server endpoint 'HTTPS://SMPserver.domain.com/Altiris/NS/Agent/GetClientPo
Policy request failed, COM error: An existing connection was forcibly closed by the remote host (0x80072746)
Next policy request from server SMPserver.domain.com will be at 2018-11-02 08:51:36, in 3 minutes
The customer is trying to use TLS 1.2 only. The default Agent Communication Profile has only TLS 1.2 enabled. Technically they enabled TLS 1.2 on the server as well. However, the client agent machine is not configured TLS 1.2.
Request 'HTTPS://SMPserver.domain.com/Altiris/NS/Agent/CreateResource.aspx' failed, COM error: An existing connection was forcibly closed by the remote host (0x80072746)-----------------------------------------------------------------------------------------------------Date: 02/11/2018 08:48:33 a. m., Tick Count: 67904593 (18:51:44.5930000), Size: 402 BProcess: AeXNSAgent.exe (5088), Thread ID: 6060, Module: AeXNSAgent.exePriority: 2, Source: ConfigServer
Configure Server Mode: Failed to obtain the machine resource GUID, error: An existing connection was forcibly closed by the remote host (0x80072746)-----------------------------------------------------------------------------------------------------Date: 02/11/2018 08:48:33 a. m., Tick Count: 67904593 (18:51:44.5930000), Size: 378 BProcess: AeXNSAgent.exe (5088), Thread ID: 6060, Module: AeXNSAgent.exePriority: 2, Source: ConfigServer
Failed to register agent. Registration status 'Not registered'. Next retry in 60 min.-----------------------------------------------------------------------------------------------------Date: 02/11/2018 08:48:33 a. m., Tick Count: 67904593 (18:51:44.5930000), Size: 308 BProcess: AeXNSAgent.exe (5088), Thread ID: 6060, Module: AeXNSAgent.exePriority: 2, Source: Agent
Failed to send basic inventory, COM error: Cannot send event, the computer has not been registered on the server (0x80042B01)-----------------------------------------------------------------------------------------------------Date: 02/11/2018 08:48:36 a. m., Tick Count: 67907265 (18:51:47.2650000), Size: 355 BProcess: AeXNSAgent.exe (5088), Thread ID: 6060, Module: AeXNSAgent.exePriority: 1, Source: ConfigServer
Next basic inventory update will be sent to server SMPserver.domain.com at 2018-11-02 08:51:36, in 3 minutes-----------------------------------------------------------------------------------------------------Date: 02/11/2018 08:48:36 a. m., Tick Count: 67907265 (18:51:47.2650000), Size: 343 BProcess: AeXNSAgent.exe (5088), Thread ID: 6060, Module: AeXNSAgent.exePriority: 4, Source: ServerSettings
Calling NS server endpoint 'HTTPS://SMPserver.domain.com/Altiris/NS/Agent/GetClientPolicies.aspx', ID: {32FB5E6D-4E8B-4965-9E4F-9642A99A95E6}-----------------------------------------------------------------------------------------------------Date: 02/11/2018 08:48:36 a. m., Tick Count: 67907281 (18:51:47.2810000), Size: 367 BProcess: AeXNSAgent.exe (5088), Thread ID: 6060, Module: AeXNSAgent.exePriority: 4, Source: Agent
Policy request failed, COM error: An existing connection was forcibly closed by the remote host (0x80072746)-----------------------------------------------------------------------------------------------------Date: 02/11/2018 08:48:36 a. m., Tick Count: 67907281 (18:51:47.2810000), Size: 338 BProcess: AeXNSAgent.exe (5088), Thread ID: 6060, Module: AeXNSAgent.exePriority: 1, Source: ConfigServer
Next policy request from server SMPserver.domain.com will be at 2018-11-02 08:51:36, in 3 minutes-----------------------------------------------------------------------------------------------------Date: 02/11/2018 08:48:36 a. m., Tick Count: 67907281 (18:51:47.2810000), Size: 332 BProcess: AeXNSAgent.exe (5088), Thread ID: 6060, Module: AeXNSAgent.exePriority: 4, Source: ServerSettings
Environment
ITMS 8.x
Cause
TLS 1.2 was not configured properly on some client machines and TLS 1.0 and 1.1 was disabled from the Agent Communication Profile. So those machines were not able to establish a good communication back to the SMP.
Note: In a similar instance, the cause was that the CreateResource.aspx, GetClientCertificates.aspx, and GetClientCertificatesMig.aspx were set to "Request SSL" option when usually it is not required.
Resolution
Try the following:
- Edit the Default Agent Communication Profile (under Settings>Agents/Plug-ins>Symantec Management Agent>Symantec Management Agent Communication>"Profile with your SMP name on it") and enable TLS 1.0 and 1.1. Save change.
- Check if now the client machines can communicate.
Note:
If the options for TLS 1.0 and 1.1 are grayed out on the default Agent Communication Profile, then try:
- Download IIS Crypto GUI (https://www.nartac.com/Products/IISCrypto/Download) and check what TLS version is available on the SMP. If TLS 1.2 is the only one selected, enable TLS 1.0 and 1.1. Restart SMP server.
- Go back and try to enable TLS 1.0 and 1.1 on the Default Agent Communication Profile.
If the client machines are able to register and communicate, then you can go ahead and:
- Run IIS Crypto and disable TLS 1.0 and 1.1 again. Restart SMP Server
- Check that the agent stays communicating.
As well you can try the following recommendations in order to allow .NET to try only TLS 1.2 when 1.0 and 1.1 have been disabled in an environment:
- Add (or modify if these already exists) the following registry keys with the specified values on the SMP (or any task server that this client is trying to connect to):
[HKEY_LOCAL_MACHINE\SOFTWARE\W"SystemDefaultTlsVersions"=dwo"SchUseStrongCrypto"=dword:000[HKEY_LOCAL_MACHINE\SOFTWARE\W"SystemDefaultTlsVersions"=dwo"SchUseStrongCrypto"=dword:000[HKEY_LOCAL_MACHINE\SOFTWARE\M"SystemDefaultTlsVersions"=dwo"SchUseStrongCrypto"=dword:000[HKEY_LOCAL_MACHINE\SOFTWARE\M"SystemDefaultTlsVersions"=dwo"SchUseStrongCrypto"=dword:000
Note: The log entry:
Request 'HTTPS://SMPServer.domain.com:443/Altiris/NS/Agent/CreateResource.aspx' failed, COM error: An existing connection was forcibly closed by the remote host (0x80072746)
Can be also caused by wrong settings in the following pages:
Make sure the following settings matches under IIS Manager:
SERVERNAME>Sites>Default Website>Altiris>NS>Agent>CreateResource.aspx
-
- Under Authentication, Anonymous Authentication is set to Status 'Enabled'
- Under SSL Settings, 'Require SSL' is unchecked and Client Certificates is set to 'Ignore'
SERVERNAME>Sites>Default Website>Altiris>NS>Agent>GetClientCertificate.aspx
-
- Under Authentication, Anonymous Authentication is set to Status 'Enabled'
- Under SSL Settings, 'Require SSL' is checked and Client Certificates is set to 'Require'
SERVERNAME>Sites>Default Website>Altiris>NS>Agent>GetClientCertificateMig.aspx
-
- Under Authentication, Anonymous Authentication is set to Status 'Disabled'
- Under SSL Settings, 'Require SSL' is unchecked and Client Certificates is set to 'Ignore'
Note: If the error refers to something like this:
Operation 'Direct: Post' failed.Protocol: HTTPSHost: <SMP Server FQDN>:443Path: /altiris/NS/Agent/CreateResource.aspx
means that is trying to reach the Default Website, which uses port 443.
Feedback
