New client machines can't register when only TLS 1.2 is enabled on the SMP server. COM error: An existing connection was forcibly closed by the remote host (0x80072746)
search cancel

New client machines can't register when only TLS 1.2 is enabled on the SMP server. COM error: An existing connection was forcibly closed by the remote host (0x80072746)

book

Article ID: 172933

calendar_today

Updated On:

Products

IT Management Suite Client Management Suite Server Management Suite

Issue/Introduction

Some client machines can't make a connection to the SMP server to register, get a new configuration, or send basic inventory.
Agent logs showed the following entries (from oldest to newest):

  • Request 'HTTPS://SMPserver.domain.com/Altiris/NS/Agent/CreateResource.aspx' failed, COM error: An existing connection was forcibly closed by the remote host (0x80072746)
  • Configure Server Mode: Failed to obtain the machine resource GUID, error: An existing connection was forcibly closed by the remote host (0x80072746)
  • Failed to register agent. Registration status 'Not registered'. Next retry in 60 min.
  • Failed to send basic inventory, COM error: Cannot send event, the computer has not been registered on the server (0x80042B01)
  • Next basic inventory update will be sent to server SMPserver.domain.com at 2018-11-02 08:51:36, in 3 minutes
  • Calling NS server endpoint 'HTTPS://SMPserver.domain.com/Altiris/NS/Agent/GetClientPolicies.aspx', ID: {32FB5E6D-4E8B-4965-9E4F-9642A99A95E6}
  • Policy request failed, COM error: An existing connection was forcibly closed by the remote host (0x80072746)
  • Next policy request from server SMPserver.domain.com will be at 2018-11-02 08:51:36, in 3 minutes


The customer is trying to use TLS 1.2 only. The default Agent Communication Profile has only TLS 1.2 enabled. Technically they enabled TLS 1.2 on the server as well. However, the client agent machine is not configured TLS 1.2.


Request 'HTTPS://SMPserver.domain.com/Altiris/NS/Agent/CreateResource.aspx' failed, COM error: An existing connection was forcibly closed by the remote host (0x80072746)
-----------------------------------------------------------------------------------------------------
Date: 02/11/2018 08:48:33 a. m., Tick Count: 67904593 (18:51:44.5930000), Size: 402 B
Process: AeXNSAgent.exe (5088), Thread ID: 6060, Module: AeXNSAgent.exe
Priority: 2, Source: ConfigServer
 


Configure Server Mode: Failed to obtain the machine resource GUID, error: An existing connection was forcibly closed by the remote host (0x80072746)
-----------------------------------------------------------------------------------------------------
Date: 02/11/2018 08:48:33 a. m., Tick Count: 67904593 (18:51:44.5930000), Size: 378 B
Process: AeXNSAgent.exe (5088), Thread ID: 6060, Module: AeXNSAgent.exe
Priority: 2, Source: ConfigServer
 


Failed to register agent. Registration status 'Not registered'. Next retry in 60 min.
-----------------------------------------------------------------------------------------------------
Date: 02/11/2018 08:48:33 a. m., Tick Count: 67904593 (18:51:44.5930000), Size: 308 B
Process: AeXNSAgent.exe (5088), Thread ID: 6060, Module: AeXNSAgent.exe
Priority: 2, Source: Agent
 

 

Failed to send basic inventory, COM error: Cannot send event, the computer has not been registered on the server (0x80042B01)
-----------------------------------------------------------------------------------------------------
Date: 02/11/2018 08:48:36 a. m., Tick Count: 67907265 (18:51:47.2650000), Size: 355 B
Process: AeXNSAgent.exe (5088), Thread ID: 6060, Module: AeXNSAgent.exe
Priority: 1, Source: ConfigServer
 


Next basic inventory update will be sent to server SMPserver.domain.com at 2018-11-02 08:51:36, in 3 minutes
-----------------------------------------------------------------------------------------------------
Date: 02/11/2018 08:48:36 a. m., Tick Count: 67907265 (18:51:47.2650000), Size: 343 B
Process: AeXNSAgent.exe (5088), Thread ID: 6060, Module: AeXNSAgent.exe
Priority: 4, Source: ServerSettings
 


Calling NS server endpoint 'HTTPS://SMPserver.domain.com/Altiris/NS/Agent/GetClientPolicies.aspx', ID: {32FB5E6D-4E8B-4965-9E4F-9642A99A95E6}
-----------------------------------------------------------------------------------------------------
Date: 02/11/2018 08:48:36 a. m., Tick Count: 67907281 (18:51:47.2810000), Size: 367 B
Process: AeXNSAgent.exe (5088), Thread ID: 6060, Module: AeXNSAgent.exe
Priority: 4, Source: Agent

 

Policy request failed, COM error: An existing connection was forcibly closed by the remote host (0x80072746)
-----------------------------------------------------------------------------------------------------
Date: 02/11/2018 08:48:36 a. m., Tick Count: 67907281 (18:51:47.2810000), Size: 338 B
Process: AeXNSAgent.exe (5088), Thread ID: 6060, Module: AeXNSAgent.exe
Priority: 1, Source: ConfigServer
 


Next policy request from server SMPserver.domain.com will be at 2018-11-02 08:51:36, in 3 minutes
-----------------------------------------------------------------------------------------------------
Date: 02/11/2018 08:48:36 a. m., Tick Count: 67907281 (18:51:47.2810000), Size: 332 B
Process: AeXNSAgent.exe (5088), Thread ID: 6060, Module: AeXNSAgent.exe
Priority: 4, Source: ServerSettings
 

Environment

ITMS 8.x

Cause

TLS 1.2 was not configured properly on some client machines and TLS 1.0 and 1.1 was disabled from the Agent Communication Profile. So those machines were not able to establish a good communication back to the SMP.

Note: In a similar instance, the cause was that the CreateResource.aspx, GetClientCertificates.aspx, and GetClientCertificatesMig.aspx were set to "Request SSL" option when usually it is not required.

Resolution

Try the following:

  1. Edit the Default Agent Communication Profile (under Settings>Agents/Plug-ins>Symantec Management Agent>Symantec Management Agent Communication>"Profile with your SMP name on it") and enable TLS 1.0 and 1.1. Save change.
  2. Check if now the client machines can communicate.

Note:
If the options for TLS 1.0 and 1.1 are grayed out on the default Agent Communication Profile, then try:

  1. Download IIS Crypto GUI (https://www.nartac.com/Products/IISCrypto/Download) and check what TLS version is available on the SMP. If TLS 1.2 is the only one selected, enable TLS 1.0 and 1.1. Restart SMP server.
  2. Go back and try to enable TLS 1.0 and 1.1 on the Default Agent Communication Profile.

If the client machines are able to register and communicate, then you can go ahead and:

  1. Run IIS Crypto and disable TLS 1.0 and 1.1 again. Restart SMP Server
  2. Check that the agent stays communicating.



As well you can try the following recommendations in order to allow .NET to try only TLS 1.2 when 1.0 and 1.1 have been disabled in an environment:

  1. Add (or modify if these already exists) the following registry keys with the specified values on the SMP (or any task server that this client is trying to connect to):

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001 


Note: The log entry:

Request 'HTTPS://SMPServer.domain.com:443/Altiris/NS/Agent/CreateResource.aspx' failed, COM error: An existing connection was forcibly closed by the remote host (0x80072746)

can be also caused by wrong settings in the following pages:

Make sure the following settings matches under IIS Manager:

SERVERNAME>Sites>Default Website>Altiris>NS>Agent>CreateResource.aspx

  • Under Authentication, Anonymous Authentication is set to Status 'Enabled'
  • Under SSL Settings, 'Require SSL' is unchecked and Client Certificates is set to 'Ignore'


SERVERNAME>Sites>Default Website>Altiris>NS>Agent>GetClientCertificate.aspx

  • Under Authentication, Anonymous Authentication is set to Status 'Enabled'
  • Under SSL Settings, 'Require SSL' is checked and Client Certificates is set to 'Require'

SERVERNAME>Sites>Default Website>Altiris>NS>Agent>GetClientCertificateMig.aspx

  • Under Authentication, Anonymous Authentication is set to Status 'Disabled'
  • Under SSL Settings, 'Require SSL' is unchecked and Client Certificates is set to 'Ignore'

 

Note: If the error refers to something like this:

Operation 'Direct: Post' failed.
Protocol: HTTPS
Host: <SMP Server FQDN>:443
Path: /altiris/NS/Agent/CreateResource.aspx

means that is trying to reach the Default Website, which uses port 443.

Powered by Wolken Software