search cancel

'Access Denied' when Cloud Enabled agents try to access GetClientCertificates.aspx

book

Article ID: 163660

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Cloud-Enabled Management (CEM) agents are not able to register when installing the Symantec Management Agent (SMA) with a CEM offline installer package while the agent has connectivity to the internal network.

Error 1:
Failed to send basic inventory, COM error: Cannot send event, the computer has not been registered on the server (0x80042B01)
...
Process: AeXNSAgent.exe (956), Thread ID: 5652, Module: AeXNSAgent.exe
Priority: 1, Source: ConfigServer


Error 2:
Operation 'Direct: Post' failed. 
Protocol: HTTP 
Original Host: <SMP Server FQDN>:80
Real Host: <SMP Server FQDN>:80
Path: /Altiris/NS/Agent/GetClientCertificateMig.aspx 
Error type: SMP Server error 
Error code: Access is denied (0x00000005) 
Error note: HTTP Status 403: 403 Access is denied (client does not have authorization)
...
Process: AeXNSAgent.exe (956), Thread ID: 5652, Module: AeXNetComms.dll
Priority: 1, Source: NetworkOperation


Warning 1:
Request
'HTTP://SMP01.domain.com:80/Altiris/NS/Agent/GetClientCertificateMig.aspx?Encrypted=1';
failed, COM error: Access is denied (0x80070005)
...
Process: AeXNSAgent.exe (956), Thread ID: 5652, Module: AeXNSAgent.exe
Priority: 2, Source: ConfigServer


Error 3:
Attempted CEM gateway certificate negotiation failed.
...
Process: AeXNSAgent.exe (956), Thread ID: 5652, Module: AeXNSAgent.exe
Priority: 1, Source: ConfigServer



We also noticed messages like these (when trace and verbose logging was enabled):

Entry 1:
Attempted CEM nsagent certificate negotiation failed.
...
Process: AeXNSAgent.exe (7008), Thread ID: 7560, Module: AeXNSAgent.exe
Priority: 1, Source: ConfigServer



Entry 2:
Operation 'Direct: Post' failed. 
Protocol: HTTPS 
Host: <SMP Server FQDN>:443 
Path: /altiris/NS/Agent/GetClientCertificate.aspx 
Error type: SMP Server error 
Error code: Access is denied (0x00000005) 
Error note: HTTP Status 403: 403 Access is denied (client does not have authorization)
Server HTTPS connection info: 
   Server certificate: 
      Serial number: <16 character certificate serial number> 
      Thumbprint: <40 character server thumbprint here>
   Cryptographic protocol: TLS 1.0 
...
Process: AeXNSAgent.exe (7008), Thread ID: 7560, Module: AeXNetComms.dll
Priority: 1, Source: NetworkOperation

Cause

The CEM offline package expects the new agent to communicate through the CEM Gateway and has processes for negotiating the additional certificates that the agent will need. When connected directly to the SMP those steps fail, causing this issue.

Resolution

Solution 1:

  1. Uninstall the CEM offline installed agent.
  2. Install the regular Altiris agent through either an agent push or by pulling the installer locally.
  3. Add the computer to the CEM targeted agent policy.

Solution 2:

  1. Uninstall the CEM offline installed agent.
  2. Remove connectivity to the local network.
  3. Verify you can reach the CEM gateway by name (nslookup) and cannot reach the SMP server by name.
  4. Reinstall the Offline package.

A similar error is addressed in KB TECH235374 (see link below)