Unable to obtain a broker certificate with BrokerConfig.exe (IIS Troubleshooting)

Version 4

    Problem

     

    When requesting a certificate from the client machine using Brokerconfig.exe, you may run into this error message:

     

    error.PNG

    Failed to retrieve certificate.

     

    The following steps will help rule out a problem with IIS (Internet Information Services):

     

    1. Stop the LANDesk Management Gateway Service on the Core Server.

     

    2. From a LANDesk client machine on the same network as the Core Server, create a new file under C:\Program Files\LANDesk\Shared Files called "Test.txt" and type "Test" in the file and save and close.

     

    3. Open a command prompt and change the directory to C:\Program Files\LANDesk\Shared Files and execute the following statement:

    httpclient.exe -V -o Test.txt "http://CoreServer/incomingdata/postcgi.exe?prefix=brokerreq&suffix=.txt"

    Note:  Be sure to change "CoreServer" to the actual core server name.

    A normal action will return CoreServer: 200 for successful. You can double check to make sure the file made it to the core server under %ldms_home%brokerreq.

     

    5. If a CoreServer: 0, IOError is returned, the file that PostCGI is attempting to use must not be 0 KB in size.  Add something to the file, save and close.  Try again.

     

    6. If a CoreServer: 3, IOError is returned, IIS services are not running. Run IISRESET on the core server.

     

    7. If a CoreServer: 301, HTTP Error is returned, this means that HTTPS redirect is setup. Unfortunately, brokerservice doesn't currently support HTTPS redirects.

     

    8. If a CoreServer: 40x error is returned, then it may be due to one of the following:

    CoreServer: 400, Bad file request. Usually means the syntax used in the URL is incorrect or If the client is joined to a domain but using an off network connection. In some cases, the client machine automatically appends its domain to 80 and 443 requests. In that case the client will contact the domain and IF the domain redirects to a placeholder page then proxyhost would return a 400. To work around this, either automatic redirects for unknown pages on the domain should be removed or the user can put a DNS record for when connections are made to corename.domain and have it point to dummy IP. This way there is no answer when making a public attempt to contact the core. This forces proxyhost to try the gateway. 

    CoreServer: 401, Unauthorized.  IIS Permission issue.  Go through and validate that IIS settings and permissions are setup up correctly. Authentication for this website should be Anonymous. Try using Filemon from www.sysinternals.com to troubleshoot the file permissions.  Compare a working Core Server IIS Settings with the IIS settings of the Core Server having issues.

    CoreServer: 403, Access Denied.  May be an incorrect user name and password entered into brokerconfig.exe if you are on 9.6 or older. 2016 and higher versions, this would indicate a permissions issue with your current logged in windows user.

    CoreServer: 404, Path or file not found. Website may be missing or IIS is not started. Rebooting the core can sometimes helps.

    CoreServer: 406. PostCGI.exe is either failing abnormally or there is a rights issue to the directory that is attempting to be written to. Uninstalling the agent and reinstalling may fix the issue.

     

    Additional Resources

     

    How To Troubleshoot Brokerconfig and General Gateway Agent Issues

    Issue: CSA Public IP address reverting back to old IP address

    How to Configure a Gateway (Cloud Service Appliance) - Quick Guide