System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validatio
I’m facing an issue with Mobile Management 7.1.
I have prod environment.
- All servers are an different box
- SMP, SMM, SCEP are in the domain
- Reverses proxy server is in DMZ
- Overight URL set on extrenal IP SSL check box checked using port 443
I can enroll IOS devices and they appear in the report “Detailed IOS Divice Status”
- Agent install False
- Agent Enrolled true
- Reporting From BG True
- MDM Enrolled True
On the IPAD I get the MDM profile Certificat issue by SCEP and MDM
I have a APNS certificate issued by apple in this format com.apple.mgmt.*myname*
This APNS cert in on the MMS SS with the correct right (Network Service read right)
I have a externally wildcard signed SSL certificate that in biding in ISS default web on port 443 site in the Reverse proxy and the SMM SS
All the URL are accessible externally.
I’m using the SMM agent dl from AppStor
Issue:
At the end of the Enrollment safari return a blank page.
I cannot d/l document from the Mobile Library, They a visible but When I try to download one I get and error msg (cannot d/l file) in the log on the IPAD I see that it is trying to d/l from an internal IP ?
I cannot send any command to ALL enrolled devices I get and error message “Error sending lock request - see server log for details”
In the log file I Find that message
]></event>
<event date="Jan 20 10:31:19 +00:00" severity="4" hostName="SRVSMP01" source="Altiris.Reporting.DataSource.ResourceDataSource.Run" module="w3wp.exe" process="w3wp" pid="8056" thread="137" tickCount="-1724603609"><![CDATA[ResourceDataSource returned 0 rows in 'Table' table]]></event>
<event date="Jan 20 10:31:19 +00:00" severity="4" hostName="SRVSMP01" source="Altiris.NS.StandardItems.Collection.NSDataSrcBasedResourceCollection.FullUpdatePostDataSrcProcessing" module="w3wp.exe" process="w3wp" pid="8056" thread="137" tickCount="-1724603609"><![CDATA[Updating collection membership for collection '08dac7a7-bbcd-4cd6-8ccd-6031cfadf89d' with 0 members.]]></event>
<event date="Jan 20 10:31:19 +00:00" severity="2" hostName="SRVSMP01" source="Altiris.Agent.Unix.Policy.UnixAgentInstall.OnBuildClientConfigXml2" module="w3wp.exe" process="w3wp" pid="8056" thread="137" tickCount="-1724603593"><![CDATA[Couldn't find underlying policy for resource {1e9145c0-9693-4baa-aced-e19947100fc4}]]></event>
<event date="Jan 20 10:32:45 +00:00" severity="4" hostName="SRVSMP01" source="Symantec.MobileManagement.IOS.IOSLockDeviceAction.DoesItemActionApply" module="w3wp.exe" process="w3wp" pid="8056" thread="42" tickCount="-1724517734"><![CDATA[IOSLockDeviceAction Device check rightclick: ae6df3c3-efe4-4315-b05d-640aba579544]]></event>
<event date="Jan 20 10:32:45 +00:00" severity="4" hostName="SRVSMP01" source="Symantec.MobileManagement.IOS.IOSWipeDeviceAction.DoesItemActionApply" module="w3wp.exe" process="w3wp" pid="8056" thread="42" tickCount="-1724517015"><![CDATA[IOSWipeDeviceAction Device check rightclick: ae6df3c3-efe4-4315-b05d-640aba579544]]></event>
<event date="Jan 20 10:32:46 +00:00" severity="4" hostName="SRVSMP01" source="Symantec.MobileManagement.IOS.IOSRemovePasscodeAction.DoesItemActionApply" module="w3wp.exe" process="w3wp" pid="8056" thread="42" tickCount="-1724516765"><![CDATA[IOSRemovePasscodeAction Device check rightclick: ae6df3c3-efe4-4315-b05d-640aba579544]]></event>
<event date="Jan 20 10:32:46 +00:00" severity="4" hostName="SRVSMP01" source="Symantec.MobileManagement.IOS.IOSUpdatePoliciesAction.DoesItemActionApply" module="w3wp.exe" process="w3wp" pid="8056" thread="42" tickCount="-1724516218"><![CDATA[IOSUpdatePolicies Device check rightclick: ae6df3c3-efe4-4315-b05d-640aba579544]]></event>
<event date="Jan 20 10:32:46 +00:00" severity="4" hostName="SRVSMP01" source="Altiris.AssetContractCommon.ItemActions.GenericResourceEditAction.OnFromXml" module="w3wp.exe" process="w3wp" pid="8056" thread="42" tickCount="-1724516156"><![CDATA[Bulk Edit Action information Dataclass count:1 1st dataclass entry{00000000-0000-0000-0000-000000000000}]]></event>
<event date="Jan 20 10:32:46 +00:00" severity="4" hostName="SRVSMP01" source="Symantec.MobileManagement.IOS.IOSUnmanageAction.DoesItemActionApply" module="w3wp.exe" process="w3wp" pid="8056" thread="42" tickCount="-1724516109"><![CDATA[IOSUnmanageAction Device check rightclick: ae6df3c3-efe4-4315-b05d-640aba579544]]></event>
<event date="Jan 20 10:32:46 +00:00" severity="4" hostName="SRVSMP01" source="Symantec.MobileManagement.IOS.IOSSendInventoryAction.DoesItemActionApply" module="w3wp.exe" process="w3wp" pid="8056" thread="42" tickCount="-1724516015"><![CDATA[IOSSendInventoryAction Device check rightclick: ae6df3c3-efe4-4315-b05d-640aba579544]]></event>
<event date="Jan 20 10:32:47 +00:00" severity="4" hostName="SRVSMP01" source="Altiris.NS.Utilities.StringManager2.get_StringCache" module="w3wp.exe" process="w3wp" pid="8056" thread="42" tickCount="-1724515812"><![CDATA[Initialising StringCache, Size: 10000]]></event>
<event date="Jan 20 10:32:55 +00:00" severity="4" hostName="SRVSMP01" source="Symantec.MobileManagement.Web.IOS.LockDeviceAction.ButtonApply_Click" module="w3wp.exe" process="w3wp" pid="8056" thread="3" tickCount="-1724507843"><![CDATA[LOCK Device MMS guid: 4e96a7a8-a071-4d91-8f98-59c948913b84]]></event>
<event date="Jan 20 10:32:55 +00:00" severity="4" hostName="SRVSMP01" source="Symantec.MobileManagement.Web.IOS.LockDeviceAction.ButtonApply_Click" module="w3wp.exe" process="w3wp" pid="8056" thread="3" tickCount="-1724507796"><![CDATA[LOCK Device URL: https://SRVMMS01.DEMOALTIRIS.LOC:443/demandcommandws/demandcommandws.asmx]]></event>
<event date="Jan 20 10:32:55 +00:00" severity="1" hostName="SRVSMP01" source="Symantec.MobileManagement.Web.IOS.LockDeviceAction.ButtonApply_Click" module="w3wp.exe" process="w3wp" pid="8056" thread="3" tickCount="-1724507765"><![CDATA[Error sending lock device request. Url to command webservice on mobile management server: [https://srvmms01.demoaltiris.loc/demandcommandws/demandcommandws.asmx] .
( Exception Details: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.runTryCode(Object userData)
at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Symantec.MobileManagement.Web.DemandCommandWebService.DemandCommandWS.Lock(String UDID, String Token, String Magic)
at Symantec.MobileManagement.Web.IOS.LockDeviceAction.ButtonApply_Click(Object sender, EventArgs e) )
( Exception logged from:
at Altiris.Diagnostics.Logging.EventLog.ReportException(Int32 severity, String strMessage, String category, Exception exception)
at Altiris.Diagnostics.Logging.EventLog.ReportException(String strMessage, Exception exception)
at Symantec.MobileManagement.Web.IOS.LockDeviceAction.ButtonApply_Click(Object sender, EventArgs e)
at Altiris.WebControls.ButtonListControl.RaisePostBackEvent(String eventArgument)
at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.ios_lockdeviceaction_aspx.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
at System.Web.HttpApplication.ApplicationStepManager.ResumeSteps(Exception error)
at System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
at System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
at System.Web.HttpRuntime.ProcessRequestNoDemand(HttpWorkerRequest wr)
at System.Web.Hosting.ISAPIRuntime.ProcessRequest(IntPtr ecb, Int32 iWRType)
)
( Extra Details: Type=System.Net.WebException Src=System.Web.Services
Inner Extra Details: Type=System.Security.Authentication.AuthenticationException Src=System )]]></event>
Please I need help to figue out this issue.
Thnaks for your help
Comments
NS sees IP of MMS server as internal
The NS is seeing the IP address of the MMS as the internal IP address, since it has enrolled using an internal IP address. So it's passing an internal IP address to the system. You need to ensure that the NS routes to the external IP address of the MMS server, such as by modifying the hosts file or creating an internal DNS entry that uses the external IP address.
At that point you should be passing the correct IP to the managed iOS devices, but you may need to restart services or something.
Additionally, you should be using the FQDN of the SSL certificate, not the IP address. If you use IP address, the SSL certificate cannot be verified; instead, use the FQDN so that the SSL certificate is validated.
Does this help?
Mike Clemson, Senior Systems Engineer
Intuitive Technology Group -- Symantec Platinum Partner
So what do I need to put in
So what do I need to put in the host file EXT IP address FQDN of my MMS server ?
Where the SSL certificat has to be installed ? I m using a wildcar certificat, is that OK
I have put it into the reverse proxy server do I need to put it anywhere else ?
In the overight url I have the FQDN of my wildcard certificat
Hello, I had exactly the same
Hello,
I had exactly the same issue last week on my mms platform.
Your server try to connect using internal name and the certificate you are using was created for an external FQN.
Your MMS server try to contact IIS to post information using internal name of the server but refuse connection because you don't use a name that match with the certificate that is binding to IIS.
Because we can't bind two certificates on a website, I have added a secondary IP Adress on the same network Card and in IIS I have bind the first ip adress on external certificate and secondary IP adress on the local certificate. See screenshot for binding details.
Hope it help you.
Stef.
In the MMS serveur only have
In the MMS serveur only have the APNS certificat installed and the SSL wildcard certificat. so I cant biend any other IP to port 443
Because the IP addresses are
Because the IP addresses are distinct, it does not represent a non-unique binding. You're binding 443 internal to your self-signed SSL and port 443 external to your externally-signed cert.
Mike Clemson, Senior Systems Engineer
Intuitive Technology Group -- Symantec Platinum Partner
In my case the SMP and Mobile
In my case the SMP and Mobile Server are on the same machine.
When you are using IOS right clic action you have an error, look at the Altiris Log Viewer for details. Filter only errors.
In the error details you will see how the command is posted. In my case I have the following error:
"Error sending lock device request. Url to command webservice on mobile management server: [https://mms-ns.azerysdmo.local/demandcommandws/demandcommandws.asmx] .
Hi. First thanks for all your
Hi.
First thanks for all your help.
I have fixed all issues by configured a second IP address to the NIC and bind it to the internal cert in ISS.
I have fixed the issue with the mobile lib by following this article http://www.symantec.com/business/support/index?page=content&id=HOWTO60961
Could you tell me if we can manage policy for IOS devices with the appstor agent?
I set a policy to set a passcode to IOS devices.
I have configured the passcode into the payload and I have created a policy that in assigned to mobile resources.
When I enroll an Ipad it doesn’t get the passcode payload and when a click update policy from the console the device don’t get it.
What I’m missing?
Yes, you can apply policy
Yes,
you can apply policy with Appstore agent. My device have Appstore agent and when I click on update policy by right clic action), the policy is applied in less than 10 seconds.
Have you tried to add additional configuration profile during enrollment?
When you update policy by right clic, do you have a message that said the command is queued or something like that?
Yes I have added some config
Yes I have added some config profile during enrollment and it works.
When i click update policy on one device yes I get the command has been queued. but no modification are coming up into the ipad.
Ex I have a restriction profile that doesn’t allow the use of the camera, If I change the setting to allow the use of the camera the modification never arrive to the Ipad but if I reenroll it the correct setting are applied.
What I am missing ?
Should work
Modified restriction profiles should be included as part of a policy update. When a profile is updated that's part of the policy, the entire policy is removed, including all profiles, and all profiles are readded as part of an updated policy. When you right-click and choose Update policies, it should be passing everything on.
Are you sure that your MMS SS can reach gateway.sandbox.push.apple.com on ports 2195, 2196, 5223?
Mike Clemson, Senior Systems Engineer
Intuitive Technology Group -- Symantec Platinum Partner
Hi, I'm still getting. the
Hi,
I'm still getting.
the underlying connection was closed: Could not establish trust relationship for the SSL/TLS
Even if I have 2 IP as explained by steph.
Some time is works and for no reason it fails again.
If i remove the 2nd ip address and do a iisreset it works again for a moment and fails again.
Somebody have an Idea ?
MMS server is on a diferant box than the SMP server.
I use a reverse proxy into a DMS (iis url rewriter)
Enrollment is working properly
Thanks for your help
Would you like to reply?
Login or Register to post your comment.