Video Screencast Help

Issues with Altiris (Symantec) licensing - the issuing Ceritificate server is non existant

Created: 19 Nov 2010 | 8 comments

I don't know if anyone has noticed, but the Altiris Licenses given out by Symantec contain a bit of data pointing to an invalid (non-existant) site address to validate the licenses;  This is causing issues because they will never validate.  Since the licenses, when applied through the SIM, actually become certificates applied to the (Windows) OS.  Windows will then try to validate these every 1/2 hour as defined in the NS.Internal Licensing Refresh Item.  This will obviously fail with 5-20 attempts to the site each time.

Since my site has a proxy server, the attempts act as a mini DOS.  One time the job tried 4000+ times in one hour.

The licensing Engineers are not yet sure how to fix this...

Comments 8 CommentsJump to latest comment

JannasTo's picture

We have a 200 license server. We bought an aditional 100 licenses. The nonsense you have to go through to combine these licenses is rumdiculous in my opionion. I've been using CMS latest version for 4-5 months. I have had to call Altiris support 5 times. In my 10+years in I.T support I've been able to solve most issue on the net. NOT WITH THIS SOFTWARE...its slowing sucking the life out of me!


xalamu005's picture

I'm leaving a comment to keep the thread open as I will update with an answer to this question once I hear from Symantec support.  I am undoubtedly not the only one to see or have this issue.

This issue has been 'accelerated' and 'pushed' up the Symantec support channels 5-6 times, with no answer other than, "We are currently working on getting the necessary resources to resolve this issue.  We will update you on the progress soon".

No resolution since the original post date of this thread (even longer, however, since the incident start).

xalamu005's picture

We have tried additional licenses to no avail.  The licenses, once handed to the OS and turned into certificates, contained the same invalid ca within.

In my opinion, an easy fix would be to reissue the certificates as associated with a new 'Symantec' licensing ca.  However, the thought from support is to resurrect the old Altiris ca and put it back out on the network.  This is still a work in progress as, it seems, there is somewhat of an 'internal' battle going on about this server.  May be the same thing with the licenses...?

Anyhow, the temporary fix for the 'proxy pelting' is to 'internally loop' the ca requests via adding the entry to point to in the OS hostfile.  This is temporary as the certificates (licenses) still never become valid in the eyes of the OS.  This will still be an issue, in my experience, with the SIM when it tries to pull in any updates for NS/DS components.  Also, I have seen from Altiris documentation ( that an invalid license will kill the software patching updates via the NS patching component.  I haven't tested this scenario however, as I still have an 'in limbo' NS 7.

My next endevour will be to update to the NS7.1 in hopes of a miracle.  Now I have to reinstall my Server OS to Windows Server 2008 R2.

Very Frustrating...

xalamu005's picture

Symantec has given a 'fix' by giving the user a manual (downloaded) trusted certificate from (essentially the old Altiris certs still have invalid entries).  This is supposed to trick the Windows CA store into thinking the Certs were validated by the Altiris CA.  This means a new (trick) Trusted Certificate will have to be loaded into the Windows CA store every so often.

This problem is being blamed on Server 2008 although I am running [Windows] Server 2003 R2 with NS 7.0 (7.0 is not supported by 2008).

So far this is working (day 3 at time of writing), but I have been in the same scenario before.  I will update next week.

I don't know, yet, if this will be the permanent fix...

richardx's picture


if you create a blank MMC and add in the "Certificates" component, have you tried deleting the old certificates from "Altiris Licencing"and getting Altiris/Symantec to issue new ones and installing those in SIM?

WARNING: Make sure you, first :

a) have your old ones backed up somewhere

b) get the new ones ready before deletion :)

one would hope that newly issued certificates have the relevant URL corrected?


xalamu005's picture

Yes, I have tried this.  There are two old 'trusted certificates' that keep showing themselves within the Certificate Store; I will delete them and they come back after a few minutes.  I have checked against the [Altiris] database to ensure there are no entries in there about these licenses that would cause them to be thrown back in.  There is no instance of the licenses in the DB.

I have tried the suggestion of installing new certificates.  I have deleted the old via MMC and via the Symantec license tool.  I then installed new licenses which created new certificates.  This didn't work.  I then proceeded with a total reinstall of the OS,NS, and certificates.  I admit this was a bit extreme but I have been in 'LIMBO' for 8 months with this licensing thing.  Plus I saw this as an opportunity to upgrade from Windows 2003/NS7.0 to Windows 2008/NS7.1  Disappointingly (is this a word?) as soon as I installed the (freshly posted from Symantec licensing) licenses, the old Trusted Certificates showed back up in the certificate store.

Both the new licenses and the 'psuedo trusted certificate' contain the '' entries.  This is still an issue.  While our proxy is no longer pelted with requests for the false certificate authority, there are still issues.  The certificates are still showing as 'in error' with the 'A certificate contains an unknown extension that is marked critical'.

The NS is usable (thankfully), but the last time this happened, upon updating the NS with an MR, the licenses caused issues that installed mismatched versions for certain Suites and messed the system up in the first place.  --And here we are [almost] 1 year later--