OK! I actually borrowed a script from
this Stack Overflow post and substituted a relevant WebRequest call:
$id = [Environment]::TickCount;
$fileName = "${PSScriptRoot}\Powershell_log_${id}.txt"
$listener1 = New-Object "System.Diagnostics.TextWriterTraceListener" @($fileName, "text_listener")
$listener2 = New-Object "System.Diagnostics.ConsoleTraceListener"
$listener2.Name = "console_listener"
[System.Diagnostics.Trace]::AutoFlush = $true
[System.Diagnostics.Trace]::Listeners.Add($listener1) | out-null
[System.Diagnostics.Trace]::Listeners.Add($listener2) | out-null
# Use reflection to enable and hook up the TraceSource
$logging = [System.Net.Sockets.Socket].Assembly.GetType("System.Net.Logging")
$flags = [System.Reflection.BindingFlags]::NonPublic -bor [System.Reflection.BindingFlags]::Static
$logging.GetField("s_LoggingEnabled", $flags).SetValue($null, $true)
$webTracing = $logging.GetProperty("Web", $flags);
$webTraceSource = [System.Diagnostics.Tracesource]$webTracing.GetValue($null, $null);
$webTraceSource.Switch.Level = [System.Diagnostics.SourceLevels]::Information
$webTracesource.Listeners.Add($listener1) | out-null
$webTracesource.Listeners.Add($listener2) | out-null
[System.Diagnostics.Trace]::TraceInformation("About to do net stuff");
$wr = [System.Net.WebRequest]::Create("https://ns.ad.example.com:443/Altiris/NS/Agent/CreateResource.aspx")
$response = $wr.GetResponse()
[System.Diagnostics.Trace]::TraceInformation("Finished doing net stuff");
#get rid of the listeners
[System.Diagnostics.Trace]::Listeners.Clear();
$webTraceSource.Listeners.Clear();
$listener1.Dispose();
$listener2.Dispose();
Sure enough, the resulting logfile identified the exact problem:
System.Net Information: 0 : [12808] SecureChannel#20268497 - Remote certificate has errors:
System.Net Information: 0 : [12808] SecureChannel#20268497 - Certificate name mismatch.
System.Net Information: 0 : [12808] SecureChannel#20268497 - Remote certificate was verified as invalid by the user.
System.Net Error: 0 : [12808] Exception in HttpWebRequest#47759218:: - The underlying connection was closed: Could not
establish trust relationship for the SSL/TLS secure channel..
We issued a Notification Server web certificate in September 2019 with a Common Name
itms.example.com and two Subject Alternative Names:
itms.example.com and
ns.example.com. I issued and installed a new certificate with three SANs:
itms.example.com,
ns.example.com (like before), plus
ns.ad.example.com (which is named in the URL). I'm not sure why this didn't become a problem until last month... but it's fixed now!
Thank you very much for your help, EduardSch. BTW, I think that mmarmori would benefit from running a script like this on the Notification Server as well.
Original Message:
Sent: 09-04-2020 12:22 PM
From: Louis Wust
Subject: Deployment problem
I think that you are exactly right, Ed. Using Wireshark, I looked at all of the SSL/TLS handshakes which occur around the time of the "trust relationship" error. The only one which seemed problematic was the one launched by a local process (w3wp presumably) to the loopback address on port 443 (w3wp again). In this case, there was no "Application Data" sent back and forth between the two endpoints -- instead, the connection was terminated immediately after the handshake. There doesn't seem to be a hint at the protocol layer as to what happened, and the FIN packet is sent from client to server, which suggests that the server cert failed validation.
I agree that running a C# script with NScript.exe (with all of the Altiris/ITMS assemblies available) will help to pinpoint the problem. Would you mind reattaching the script that you mentioned? I couldn't seem to find it in the previous post.
Original Message:
Sent: 08-06-2020 04:39 AM
From: Eduard Schaab
Subject: Deployment problem
Server tries to redirect resource creation call to NS web. Since initial call to DS web service was performed over HTTPs, call to NS is also a HTTPs call. That one fails with error "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel". At this point it is not clear what is the exact reason. Can you get error that is logged in IIS logs? The best way is to gather WireShark logs for this call. It will show why SSL handshake fails.
The problem can be related to sever name used in call and in NS web certificate. You can execute NScript.exe from Notification Server\Bin folder with attached script - it will show server name that is used during call and check that it matches server name in web certificate.
Thanks,
Ed.
Original Message:
Sent: 08-05-2020 07:13 AM
From: Miguel Marmori
Subject: Deployment problem
Hi Sergei,
Shipping log the server and site server. our deployment license is fine.
------------------------------
Pan American Energy LLC
Original Message:
Sent: 08-05-2020 02:32 AM
From: Sergei Zjaikin
Subject: Deployment problem
Looks like the problem is on the server side, PECTAgent cannot properly register on the server. Could you provide the server side logs please? And please check if your DS license is OK in SIM.
Original Message:
Sent: 08-04-2020 02:41 PM
From: Miguel Marmori
Subject: Deployment problem
Symantec™ Management Platform Version 8.5 RU3
Problem when deploy image
Ghost does not start in the image deploy process and I don't see the job being logged in Altiris when I select the job to deploy. I enclose the logs for analysis and representative images.
------------------------------
Pan American Energy LLC
------------------------------