Symantec Management Agent fails to register to a new SMP Server.
search cancel

Symantec Management Agent fails to register to a new SMP Server.

book

Article ID: 173748

calendar_today

Updated On:

Products

IT Management Suite Client Management Suite

Issue/Introduction

Multiple scenarios cause these error messages. 

  1. One scenario is Symantec Management Agents are unable to switch from one Symantec Management Platform (SMP) Server to another. 
  2. Another scenario is if you Reinstall the CEM Agent package on a system that already has a Permanent Certificate assigned from the SMP.

"Unable to get the client certificate associated with the specified request (Request: <resource typeGuid=""{2C3CB3BB-FEE9-48DF-804F-90856198B600}"" name=""ENDPOINT"
, Error 80076003 Exception: Certificate can't be issued for agent.)" ,"Altiris.NS.AgentManagement.NegotiateCertificateRequest.GenerateLegacyResponse","Altiris.NS.dll","Errors"

"Too much certificates issued for resource: bbdbe6ef-85eb-407e-857e-f381e966f261","Altiris.NS.AgentManagement.AgentCertificateDistributer.IssueCertificateUnderCountControl","Altiris.NS.dll"

 

Environment

Symantec Management Platform 8.x

Cause

Computer resources were migrated to the new SMP Server, but Agent certificates were not migrated.

CEM Agent package was used to reinstall the Agent on a system that was already CEM enabled on the SMP.  This causes too many Certificates issued for resource error message.

Resolution

Query to search for clients with associated client certificates, but no certificate to load.

Select * from  [ResourceAssociation]
Where ([ResourceAssociationTypeGuid] = 'fd859758-beca-4cac-992f-555803651c0d'
OR [ResourceAssociationTypeGuid] = 'd2c3dacc-5e96-4d23-b39b-87dca7b74533')
AND ChildResourceGuid NOT IN
(SELECT _ResourceGuid FROM Inv_Digital_Certificate_Details)

If the query returns results and there are large numbers of problematic computers, they will need to be remedied from the SMP console.  See below.

Due to security reasons (in case of the stolen package, you will be able to issue several valid CEM certificates for the computer), installation from the CEM package can request only one set of CEM certificates per computer. If the specified computer resource already has CEM associated certificates - the request will fail with a specified error.

Two ways to remediate:

  1. Revoke the Current Certificate from the SMP Console > Settings > NS Settings > Certificate Management
  2. Delete the system from the Console.  Be Careful using this option.  If it's deleted and needs to communicate via CEM Agent, it will not be able to do so until it's on the LAN / VPN and gets new a Certificate.

To Revoke Certificate:

In one observed instance of this issue we were unable to revoke/renew certificates on affected endpoints and deleting from the console didn't resolve their issue. However, uninstalling/reinstalling the agent proved effective.