Clients show in the Symantec Administration Console for Macintosh (SACM), but sent commands result in an Invalid Key ID error in the Command Log

Article:TECH104888  |  Created: 2008-01-08  |  Updated: 2009-01-24  |  Article URL http://www.symantec.com/docs/TECH104888
Article Type
Technical Solution


Environment

Issue



Clients appear in the console, but commands fail with "Invalid Key ID".

Symptoms
Invalid Key ID errors in Command Log.



Cause



The password entered when sending the command is incorrect.

If the password is known to be correct, this error may occur if the Administration Client package was not properly configured during installation of the SACM server, or if the SACM is uninstalled and reinstalled and the client's Administration Client is not removed before the new Administration Client is installed.

Alternately, this error can also occur if a new Key Password was created, but the clients were not subsequently updated with that information.

Solution



In the case of a new SACM installation or a reinstallation, you will want to manually configure the Administration Client package, uninstall the Administration Client and reinstall with the new package to make sure the Administration Client package is configured and signed with the proper key.
  1. In the Console, click on Maintenance.
  2. Under Server Configuration, choose Configure Client Package.
  3. Choose a Key ID, enter the correct key password, then click on Modify Client Package.
  4. Uninstall and reinstall the Administration Client package on a machine that has been showing this error in the console.

    Note: To avoid confusion, the client being tested should be removed from the list in the SACM (under Maintenance > Server Configuration > Remove Clients) prior to doing the following steps. Once the client checks in again, the same client will appear twice and it may be difficult to tell which one is the correct one at a glance.

    - To uninstall: copy the file SACM Client Uninstaller.command located within the Support folder on the Symantec AntiVirus 10.2 disk image to the client you wish to remove the Administration Client package from, then double-click on the command file to launch it in the Terminal program. Restart the computer.

    - To reinstall: Locate the Administration Client package on the SACM server, then copy to the client to install.
    By default it is found here: /Library/Application Support/Symantec/SMac/Symantec Administration Client.pkg

After the client restarts it will check back in with the SACM. After it does, try issuing a command to it (something simple and non-invasive such as Ping is fine). Check the command log to verify that the command succeeds.

In the case of a new Key Password being added in the SACM, you will then need to send that Key Password information to clients reporting into the SACM:
  1. On the Send Commands page, under Send Command Options, choose the Send command to all clients radio button.
  2. On the Command drop-down menu, under Administrative Commands, choose Add Public Key.
  3. Click Specify Parameters.
  4. On the Add Public Key page, specify the following:
    - Command Label: The name that you assign to your command. The name appears in the Command log after you issue the command.
    - Command Expires: The time period in which the command is active. Enter a number, and then specify the period in days, weeks, or months.
    - Command Key ID:
    This is an integer by which the public key is identified at both the server and the client. This is the pre-existing key installed on the client and is used to authenticate the command.
    - Key Password: The password that corresponds to the Key ID above.
    - New Public Key ID: The Key ID to be added, previously created in the Maintenance tab of the SACM.
  5. Click Command.

It is also a good idea to use the Modify Client Package (as noted in the first section of this document) so that subsequent new installations have all Key ID information.


References
The Symantec Administration Console Admin Guide PDF, located within the Support folder of the installation disk.



Technical Information
An alternate method to force clients to recheck in to the SACM can be found in the following document. The client will still need to be removed from the SACM's client list as this will process will create a new NodeID and new entry on the client list.


Title: 'How to force Symantec AntiVirus for Macintosh 10 clients to re-register themselves with the Symantec Administration Console server'
Document ID: 2007579040050598



Legacy ID



2008050807440248


Article URL http://www.symantec.com/docs/TECH104888


Terms of use for this information are found in Legal Notices