401 Unauthorized while accessing Altiris/ClientTaskServer/Register.aspx

Article:TECH42271  |  Created: 2009-06-10  |  Updated: 2010-05-27  |  Article URL http://www.symantec.com/docs/TECH42271
Article Type
Technical Solution


Issue



Altiris Agent Task Client is unable to register with the Task Server.  The following error shows up in the Agent log files

Post to 'http://<server>/Altiris/ClientTaskServer/Register.aspx?resourceGuid=665fa4f6-59c5-4469-bb27-ee858859a7d3&lastResort=true' failed: HTTP error: 401 Unauthorized (-2147209951)

Verbose agent log files contain entries simialr to the following:

HTTP/1.1 401 Unauthorized Connection: close
Date: Mon, 15 Jun 2009 16:39:08 GMT
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html;
charset=utf-8
Content-Length: 1861


This can cause the Altiris Service account to lock out.

Environment



Task Server 6.0 & 7.0

Cause



IIS anonymous authentication is either not enabled for the task server virtual directories, or the web server is being prevented from servicing anonymous requests by a user right option.

The following two Microsoft tools (obtained as single downloads or from the IIS Resource Kit) can be used to determine where the problem lies within IIS:

AuthDiag and WFetch

In  order for a web server to service anonymous requests, the IUSR account needs to be assigned the “Allow log on locally” user right (http://msdn.microsoft.com/en-us/library/ms955939.aspx).  By default it has this right, however, it can be removed from this right either via the servers Local Security Policy or from a GPO.


Solution



Possible solutions to this problem.

Solution 1: Enable Anonymous access
The easiest resolution for this problem is to allow the IIS anonymous user access to the ClientTaskServer and TaskManagement web sites in IIS.  To do this follow these steps

  1. Open IIS Manager (Start > Control Panel > Admin Tools > Internet Information Services (IIS) Manager)
  2. Drill down to (<server> > Web Sites > Default Web Site > Altiris)
  3. Right click on ClientTaskServer web site
  4. Click Properties
  5. Select the Directory Security tab
  6. Under "Authentication and access control" click edit
  7. Check the box to enable anonymous access
  8. Click OK
  9. Click OK
  10. Repeat Steps 3 - 9 on TaskManagement

When the client machines try to hit the register.aspx or any other task .aspx files they should authenticate as the anonymous user now.  (If the logged on user does not have NT rights)

Solution 2: Use Agent Connectivity Credentials - Specified user
This method will allow you to specify a user that is easy to manage the privileges on with out the risk of breaking other components that rely on the anonymous IIS user

  1. In the Symantec Management Console, browse to settings > Agents/Plug-ins > Altiris Agent > Settings > Altiris Agent Settings - Global
  2. Click on the Authentication Tab
  3. Select "Use these credentials"
  4. Specify a local or domain user that has rights to read those directories in IIS.  (You may have to open IIS and manage the permissions for the web sites)
  5. Click save changes
  6. Verify the message data saved comes up.  (The Notification Server will attempt validate the credentials and will through a message if it fails)
  7. Go to the client machines and open the altiris agent settings
  8. Click the update button under configuration
  9. Verify the Requested and changed date / time update to the current time and verify HKLM\software\Altiris\Communications\ Package Access User updates to the user specified above
    ...Note: On x64 machines, this key can be found under HKLM\Software\Wow6432Node\Altiris\Communications
  10. Under Task Status on the Altiris Agent click the Reset Agent button.

The agent should now authenticate as the specified user to the .aspx pages.  This can be verified by viewing the IIS logs on the server.

Solution 3: Use Agent Connectivity Credentials - Application Credentials
This is the default setup after installation.  Generally if there are problems you will need to troubleshoot why this does not work or pick another solution.

To configure the agent to use the application credentials

  1. In the Symantec Management Console, browse to settings > Agents/Plug-ins > Altiris Agent > Settings > Altiris Agent Settings - Global
  2. Click on the Authentication Tab
  3. Select "Use application credentials"
  4. Specify a local or domain user that has rights to read those directories in IIS.  (You may have to open IIS and manage the permissions for the web sites)
  5. Click save changes
  6. Go to the client machines and open the altiris agent settings
  7. Click the update button under configuration

The agents will now access the .aspx pages using the application credentials.

Solution 4: If this is being caused by a user right issue

Have the IUSR account added back to the “Allow log on locally” user right.

Legacy ID



47572


Article URL http://www.symantec.com/docs/TECH42271


Terms of use for this information are found in Legal Notices