PerfMon connections problems resolved by disabling token passing

Article:TECH12571  |  Created: 2006-02-21  |  Updated: 2008-03-04  |  Article URL http://www.symantec.com/docs/TECH12571
Article Type
Technical Solution


Issue



During an attempt to connect to a monitor agent system with Performance Monitor, the following error occurs:

The Altiris Monitor Agent refused the connection ,"Unauthorized Request"







Environment



Any version of Monitor Solution

Cause



During the connection to a Monitor Agent from the Performance Monitor UI (user interface), there is a security process which takes place called "token passing." To understand this sequence, a brief description of a PerfMon connection to an agent must be given.

From a system running the PerfMon UI, a request is made to connect to the defined Monitor Agent via the Monitor Solution Web Service (smservice.asmx), which resides on the Notification Server where Monitor Solution is installed. The Monitor Solution Web Service will send a token with random generated value to the Monitor Agent. The Monitor Agent returns this token with an equivalent value to the Monitor Solution Web service. A data pipe is then established over port 1011 for communication from the Monitor Solution Web Service to the Monitor Agent. The Monitor Solution Web Service acts as a proxy for the PerfMon UI.

At some point during this process, the token is not received or passed correctly from the Monitor Agent to the Monitor Solution Web Service and the connection is refused resulting in the error shown in the Problem page.

If you run our MSDebug.exe, you will find the following being recorded in the debug logs:

00004877    15:12:36    [5796] CMetricServer::AllocateSocket: new socket.    
00004878    15:12:36    [5796] CRTMetricConnection::ProcessRequest: <request type="GetAllMetricNames" token="-136767768"></request>.    
00004879    15:12:37    [5796] CAuthenticationBSC::IsAuthorized URLOpenStream failed, error=80070005 for Url=http://NS/Altiris/AeXMonitor/Agent/AgentService.asmx/ServerCheck?strTokenIn=-136767768    
00004880    15:12:37    [5796] CRTMetricConnection::ProcessRequest Unauthorized request for token: -136767768.    
00004881    15:12:37    [5796] CRTMetricConnection::Disconnected: Connection down.


Solution



The solution involves disabling the token passing process. This will remove a layer of security from the connection but should not compromise overall integrity.

The process to disable token passing is done via an edit to the AexSMAgentConfig table. For any Monitor Agent system, the lifeblood of functionality is the config.xml file. The config.xml file is created by the Monitor Solution Web Service from values in several Monitor Solution tables in the database. For this specific process of disabling token passing security, the AexSMAgentConfig table is the focus. Here are the steps for the table edit:

  1. In SQL Query Analyzer run the following query against your Altiris database, after obtaing the Guid of the "Monitor Solution > Windows > Windows Monitor Agent Configuration" policy in question.  The default policy is called "All Windows Servers", however, if only a small amount of machines are affected by this, cloning this policy and modifying that one is a better option:   SELECT [Xml] FROM AeXSMAgentConfig WHERE Guid = '<Guid of policy>'
    Note: In your SQL Query Analyzer (for SQL 2000) go to Tools > Options and, under Results tab, change Maximum characters per column from "256" to "4096"as there are more than 256 characters for the XML column.
  2. Copy and paste results returned into Notepad.
  3. Add <useSocketServerAuthorization>false</useSocketServerAuthorization> within the agent node of the output from the XML column. Here is an example of this edit, the operative command is highlighted and underlined:

    <config><agent name="All Windows Servers" guid="{3e2c4414-a7d5-469f-a89c-1bc377168acc}" parentItemGuid="{9C6A9E32-31C8-44e3-B1E6-D0867FF16664}" solutionGuid="{E21E423F-BFA7-4477-9FA1-31C507BD2E6F}" collectionGuid="{9B1607CC-7837-4495-8385-5BD8F5C3C4F9}" classGuid="{FE7DCF5D-25DA-4034-90F1-BBCFCC7D9129}"><metricProviderThreads>20</metricProviderThreads><metricInitializationInterval>10</metricInitializationInterval><rulesInitializationInterval>5</rulesInitializationInterval><perfLogInterval>300000</perfLogInterval><logProcessInterval>300000</logProcessInterval><appDetectionInterval>3600000</appDetectionInterval><closeLogFileInterval>3600000</closeLogFileInterval><closeLogFileCleanupInterval>1</closeLogFileCleanupInterval><closedPerformanceLogsPath>.\ClosedLogs</closedPerformanceLogsPath><ruleEvaluationThreads>5</ruleEvaluationThreads><snmpCommunity>public</snmpCommunity><socketServerPort>1011</socketServerPort><MaximumConcurrentConnections>5</MaximumConcurrentConnections><hoursInProfileBucket>3</hoursInProfileBucket><metricProfiling>0</metricProfiling><metricUnavailableAlertOptions><logAction>NT Event Log</logAction><logAction>NS Event</logAction></metricUnavailableAlertOptions><databaseConnection><connectionString></connectionString><server>localhost</server><database>master</database><userName></userName><passWord></passWord></databaseConnection><useSocketServerAuthorization>false</useSocketServerAuthorization></agent><supportPrograms><program name="agentprofiler.exe"><programPath></programPath><interval>604800</interval></program><program name="AeXSMLogUpload.exe"><programPath></programPath><params><param name="perfLogUploadinterval">15</param><param name="disablePerfLogUpload">0</param><param name="storePerfLogInterval">60</param><param name="saveUploadedPerfLogs">0</param><param name="keepPerfLogs">0</param><param name="purgeStoredPerfLogPeriod">30</param></params></program><program name="AeXSMAppDetector.exe"><programPath></programPath></program></supportPrograms><metricConsumers><consumer name="StateMachine"><clsid>{1d52a666-f867-463e-bf49-3dd0254d1f35}</clsid><iid>{7e34f9e1-6530-4a8d-b17f-7c9e0f6af5b2}</iid></consumer><consumer name="SocketServer"><clsid>{e41fb57b-95b8-4cc9-b6c3-d0864bc69e9d}</clsid><iid>{77bcec91-a518-4db2-8d66-9fcbca377603}</iid></consumer></metricConsumers></config> 
  4. Copy the updated contents of XML (in step 3)  to

    Set [Xml] = ''  (paste between the single quotes) in the command below.      

  5. Run the following query against the NS's database: 
    UPDATE AeXSMAgentConfig
    Set [Xml] = '<XML output>'
    WHERE [Guid] = '{3e2c4414-a7d5-469f-a89c-1bc377168acc}'

It is advisable to reboot the Monitor Agent systems, but a Monitor Agent service restart will also force a new config.xml to be pulled down by the Monitor Agent with the token passing now disabled, and the PerfMon connection should now be functional.  Simply requesting a new confoguration from the NSAgent will do the trick too.


Legacy ID



19878


Article URL http://www.symantec.com/docs/TECH12571


Terms of use for this information are found in Legal Notices