CEM agents unable to connect Gateway or Task Server - 403 forbidden
Article ID: 161565
Updated On:
Products
Issue/Introduction
CEM agents can't connect to the network through the gateway. No connection could be made because the target machine actively refused it. Getting 403.16 errors in IIS with Server 2012 R2
Client logs showed the following errors:
Protocol: http
Host: SMP-W2K12-01.domain.com
Port: 443
Path: /
Http status: 0
Secure: Yes
Id: {87430CA0-3180-44F7-814A-783D62D44596}
Error type: Connection error
Error result: 0x8007274D
Error code: 0
Error note: SocketIOStrategySyncSelect::Connect error
Error message: No connection could be made because the target machine actively refused it
Protocol: http
Host: SMP-W2K12-01.domain.com
Port: 443
Path: /Altiris/NS/Agent/CreateResource.aspx
Http status: 403
Secure: Yes
Id: {A4047091-DF99-4D3D-8F6B-98F748FDC8B6}
Error type: HTTP error
Error result: 0x80042D21
Error code: 0
Error note: HTTP status: 403 Forbidden. Empty response content received, probably web server is not running or URL is invalid. In some cases Windows can return response header with Content-Length field but with empty response payload
Error message: Error 0x80042D21 (No description available)
Environment
ITMS 7.5 SP1 and later
SMP or Task server running on Windows 2012 R2 server
Wildcard certificates, self-signed or internal CA.
Cause
Microsoft changed the default way that SSL works with server 2012. See the following articles for information on how Certificate are used in Windows 2012.
http://technet.microsoft.com/en-us/library/hh831771.aspx
http://support.microsoft.com/kb/2802568
Resolution
You can try setting the registry keys below to get Server 2012 to send the certificate trust list like it did in Server 2008. On the Notification Server or the Task Server, create the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Create: ClientAuthTrustMode = dword:2
Create: SendTrustedIssuerList = dword:1
Feedback
