Video Screencast Help

Schannel error on Server operating systems with SMP Agent installed

Created: 18 Feb 2014 • Updated: 18 Feb 2014 | 16 comments
Network23's picture

Hi,

Since i installed the SMA Agent on Servers I´ll get many errors in the Windows System Event Log (see Screenshot)

After uninstalling the SMA Agent the errors are gone. Agent is communication via HTTP! We do not use HTTPS!

How can this issue be resolved? Are you also seeing this issue on your Servers with SMA Agent installed?

Schannel_error_Altiris1_0.png

Operating Systems:

Comments 16 CommentsJump to latest comment

dawi_x's picture

I have seen the same issue at one of my clients after they upgraded to 7.5.

I haven't tested it yet, but I suppose the errors will dissapear when adding the SMP's self-signed certificate.

After digging into the cert errors, we can see the name of the SMP server.

Further investigation shows, based on the server profiles on the agents, the agents are trying to ping the SMP server for speed testing, which actually causes these schannel errors

Although we shouldn't do this in the first place..

Regards,

dawi_x

SK's picture

If the SMA receives the SMP codebases then it will run speed tests against the SMP.

Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads.

Brad.Lucas's picture

I too am getting the above on a new 7.5 deployment.

I've added the client and server SMP certificate to the intermediate CA to no avail.

Can the speed tests be disabled or run without SSL?  SMP was installed without HTTPS.

Thanks

Brad

Brad.Lucas's picture

Hi mate,

I have solved this issue today in my environment by doing the following after a bit of trial and error:

* Export the self-signed certificate from the SMP server's "Local Computer \ Personal \ Certificates" store (without private key) as a .P7B including all certificates in the certification path (probably not necessary).
* Import certificate into the client's "Local Computer \ Trusted Root Certification Authority \ Certificates" store.

The errors should stop immediately.

After confirming, I then deployed the certificate to all clients as part of the Default Domain Policy.
(Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities > Import)

Hope that helps,

Brad

sergei Z's picture

Guys, can you look into the following registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Communications\Servers

and see if there is any HTTPS entry listed?

This might give an idea why HTTPS requestare are coming thorugh.

sergei zjaikin, senior principal software engineer, symantec

Brad.Lucas's picture

Hi sergeZ,

I have four server entries on my SMP server: one SMB, two HTTP and one HTTPS.

Network23's picture

Hi Brad.Lucas,

Thank you for the answer.

Today I tried your suggestion and this stopped the schannel errors appearing in the Windows Event Viewer.
smiley

@sergeZ
Also thanks for your reply! There are some entries in the registry that are indicating communication over HTTPS but there are also some entries with HTTP.

I don´t have any idea why the Agent tries to communicate with the SMP Server over HTTPS even when the Agent is configured to use HTTP and we have to install Certificates.

Does anybody know why this is happening?

 
SMCC's picture

I stopped this from happening by simply removing the 443 binding on the Altiris site in IIS since I didn't feel like importing certificates that shouldn't be used in the first place.  Any reason why this might be a bad idea?

EDIT: I was seeing schannel errors on Win7-x64 SP1 workstations.  Altiris Agent is not currently installed on servers here.

EDIT2: sergeZ, can the https entry in that registry key be safely deleted from there or does it reflect a configuration elsewhere that should be changed?

SMCC's picture

Here's one potential reason to not disable 443.  It explicitly says in this article that removing that binding will cause package distribution warnings.

http://www.symantec.com/business/support/index?page=content&id=TECH212801

sergei Z's picture

The registry entries in HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Communications\Servers are created automatically when agent or some solution plugin tries connecting to a server, this can ne SMP server or Pckager Server or Task Server or any other server. These are the server profiles record the agent uses to ping servers and do speed checks later. 

You can stop the agent, remove the registry  entries but they will start appearing as soon as agent makes connection to a server.

In this case seems SK is right, HTTPS address is received as part of some package codebases. SMP server sends all the possible codebases to the agents regardless of certificate presense on the agent. The only pre-confition for this is binding to SSL port in IIS on SMP server, that's why SMCC solution above helps.

This behavior is new in 7.5 compare to 7.1. Unfortunatelly there is no way for now to turn it off.

sergei zjaikin, senior principal software engineer, symantec

Network23's picture

Hi Guys

Thanks you for all this useful information!

I worked with Symantec Support on this and they told me that it can be resolved using the following instructions:

Disable TLS for security encryption on affected machine. Follow the steps below:

1. Open Internet Explorer.

2. Click Tools.

3. Click Internet Options.

4. Click Advanced tab.

5. Scroll down the list under Security, Uncheck all the "Use TLS" options.

6.Click OK

7. Reboot machine

Symantec Support created a KB Artikel for this issue: http://www.symantec.com/docs/TECH215186

sergei Z's picture

Removing 443 binding on IIS seems better idea because it eliminates all the needless network traffic every agent generates when trying to connect over HTTPS. 

sergei zjaikin, senior principal software engineer, symantec

SMCC's picture

See http://www.symantec.com/docs/TECH212801

I posted this link above.  Removing that binding led to the logs going crazy with warnings when I did it.  Everything I tested still worked so I'm not saying it's a totally bad solution but it's not as clean as I want it to be.  Maybe there's something else that doesn't work, so for now I'm putting up with the Schannel errors.  I doubt I'll go changing everyone's IE settings.

I consider it a problem on Symantec's end that in an environment specified to not use SSL everything still tries to connect via HTTPS, causing Schannel errors on the client when it sees an invalid certificate and freaking out on the server when it can't connect on 443 even though 80 works fine because for some unknown reason it has to do both.

Mikkel.P.Jensen's picture

Any news on this subject?

Still an issue on 7.5 SP1 :-(

Would be real nice with an official fix from Symantec!!!

(I dont consider changing everyones browser settings an option)

Brandon's picture

I too would like to know if there is another way to adress this besides disabling TLS.

Philippe OUVRARD's picture

Hi,

i have the same issue, after migrate in SMP 7.5 SP1 HF3

What is the right fix ??

Thanks.