iOS Agent enrollment fails with a "Login failed - Authentication failure" message

Article:TECH188822  |  Created: 2012-05-15  |  Updated: 2013-09-09  |  Article URL http://www.symantec.com/docs/TECH188822
Article Type
Technical Solution


Issue



When trying to enroll an iOS device to the Mobile Management site server, the agent enrollment fails with a generic Login failed "Authentication failure" message.  The credentials are correct and valid for enrollment.  Further investigation shows the https://mms.domain.com/MobileEnrollment/MobileConfig.aspx page shows an ASP.NET server error message:


Error



Server Error in '/MobileEnrollment' Application.


The remote certificate is invalid according to the validation procedure.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[AuthenticationException: The remote certificate is invalid according to the validation procedure.]
  System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception) +2339776
  System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) +86
  System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) +121
  System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) +86
  System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) +121
  System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) +86
  System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) +121
  System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) +7267842
  System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) +214
  System.Threading.ExecutionContext.runTryCode(Object userData) +376
  System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData) +0
  System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) +98
  System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result) +1131
  System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size) +88
  System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size) +20
  System.Net.ConnectStream.WriteHeaders(Boolean async) +360

[WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.]
  System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request) +857759
  System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request) +10
  System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) +243
  MobileConfig.SSI.MobileManagementInformation.GetIOSMDMEnrollmentSettings(String mmsServerGuid) +77
  MobileConfig._Default.Page_Load(Object sender, EventArgs e) +200
  System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
  System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +42
  System.Web.UI.Control.OnLoad(EventArgs e) +132
  System.Web.UI.Control.LoadRecursive() +66
  System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2428


Version Information: Microsoft .NET Framework Version:2.0.50727.5448; ASP.NET Version:2.0.50727.5456


Cause



Mobile Management is installed to a Symantec Management Platform server where the server's internal name does not match the IIS SSL Certificate used for the server.  Some communication works (although internally, trust warnings can be found), but the communication between the Mobile Management Site Services and the Management Platform server fail, as the Symantec Management Agent does not use the SSL Certificate's name.


Solution



The IIS SSL certificate used for the Symantec Management Platform server should match the server's name.  To see what name is currently being used, access the registry on the MMS site server at: HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\Servers, in the subkey for the specific server name.  The "Web" setting is the field used by Mobile Management for MMS to NS communication.

To change this setting globally, in the Symantec Management Platform console, go to Settings > Agents/Plug-ins > Targeted Agent Settings.  On the group for the Site Server, go to the "Advanced" tab and change the Server Name and Server Web to the name that matches the SSL certificate name.


Supplemental Materials

SourceETrack
Value2785418


Article URL http://www.symantec.com/docs/TECH188822


Terms of use for this information are found in Legal Notices