8 Replies Latest reply on Sep 9, 2008 7:06 AM by IronMike

    Vista BrokerConfig: Failed to retrieve certificate

    Apprentice

      Hello once again,

       

      I'm trying to get things working with the LDMG on our network. I have my core server and MG set up, but my Windows Vista lab client can't get a certificate from the Core. I get a "Failed to retrieve certificate" error. I use the brokerconfig.exe to start a connection.

       

      So far, I have a working core and MG. I posted a certificate from the core onto the MG. The connection from the client over the internet to the gateway does function. When I start the brokerconfig.exe, fill in the info and start a test I get the following result:

       

      15:28.780   Attempting Direct HTTP connection to host CORESERVER:80

      15:28.780   Starting HTTP session with host CORESERVER:80, proxy "", and proxy user ""

      15:31.089   Unable to resolve host CORESERVER address 255.255.255.255

      15:31.089   Direct connection failed 6 Name resolution error

      15:31.089   Attempting managment gateway connection at host xxx.mn-web.eu and address xxx.xxx.xxx.xxx

      15:31.089   Starting HTTPS session with host xxx.xxx.xxx.xxx, proxy "", and proxy user ""

      15:31.089   Connecting to address xxx.xxx.xxx.xxx

      15:31.416   Waiting for link connection to core through managment gateway

      15:31.416   Begining link request

      15:31.416   HTTPS Request: POST /services/link?org=Mn%20Services

      15:31.416   Waiting for match response

      15:31.416   Waiting for HTTPS response

      15:31.448   HTTPS response finished status 201 description Created

      15:31.448   Creating session from client computer through managment gateway to core computer

      15:31.463   Starting long session client

      15:31.494   Match request completed 0 Success

      15:31.494   Link to core successful

      15:31.494   HTTPS Request: POST /landesk/managementsuite/core/core.secure/BrokerCertificateRequest.asmx

      15:31.494   Waiting for HTTPS response

      15:31.526   HTTPS response finished status 200 description OK

       

      This seems to be ok.

       

      When I push the Send button however, I get the error.

       

      I first thought this was a problem on my Core or IIS server. However, when I check my Client Certificates on the core server in Configure -> Management Gateway -> tab Certificates -> Manage client certificates I can see the client in the list of computers who are granted a certificate by the core.

       

      I checked the local folders and found that, as long as the brokerconfig.exe tries to get a certificate, the files broker.csr and broker.key are temporary present in the C:\Program Files\LANDesk\Shared Files\cbaroot\broker folder. When I get the error from the brokerconfig.exe, the files are removed. I also checked the C:\Program Files\LANDesk\Shared Files\cbaroot\certs folder. No certificate is placed there.

       

      I thought It could be a permission restriction in Vista on one of the folders above, however, when I log in as an administrator with Full Control on these folders, I don't get a certificate either.

       

      I checked every troubleshooting guide on these forums and tried almost every answer but I still can't get a certificate from the core.

       

      Can someone help me with this. I'm getting pretty frustrated about this...

       

      Thanks in advance.

       

      Mark

        • 1. Re: Vista BrokerConfig: Failed to retrieve certificate
          phoffmann SupportEmployee

          General catch-all for Vista ... you tried turning UAC off? That blocks all sorts of stuff.

           

          Paul Hoffmann

          LANDesk EMEA Technical Lead.

          • 2. Re: Vista BrokerConfig: Failed to retrieve certificate
            Apprentice

            Hi Paul,

             

            Yes, I tried it with UAC disabled completely. This doesn't work.

             

            I also tested it with a Windows XP client with admin priveleges, same result.

             

            Any other suggestions? Surely I am not the only one who had this problem before?

             

            Mark

            • 3. Re: Vista BrokerConfig: Failed to retrieve certificate
              phoffmann SupportEmployee

              A few things then.

               

              1 - Check Admin priviledges - Users that are retrieving the certificate need to have administrative rights.

               

              2 - This is interesting:

               

              Unable to resolve host CORESERVER address 255.255.255.255

               

              You may want to modify the firewall settings by opening "https://gatewayname/gsb/" and going to the firewall tab.

               

              Remove 255.255.255.255 then save the settings.

               

              3 - Check the brokerconfig settings on the client to ensure username and password are valid console users (old favourite).

               

              4 - make sure you don't have DNS problems - just to make sure - you're resolving the LDMG to the right IP? (something you'll have to check based on your log, since you've X'ed it out) :).

               

              5 - Check the "brokerreq" folder for NTFS permissions on the Core. That may be causing you your problems (it would also hold up why the test works) - make sure the following groups have got access:

               

              • LANDesk Management Suite group -> Full rights

              • ASP.Net (the ASPNET user) -> Full rights

              • Launch IIS process account (the IWAM_YourCoreName) user. -> "Read & Execute", "List Folder Contents" and "Read" rights

               

              Let's begin with that.

               

              Paul Hoffmann

              LANDesk EMEA Technical Lead.

              • 4. Re: Vista BrokerConfig: Failed to retrieve certificate
                Apprentice

                Hi Paul,

                 

                Thanks once again for the quick reply.

                 

                1 - Check Admin priviledges - Users that are retrieving the certificate need to have administrative rights.

                 

                Checked that allready.

                 

                 

                You may want to modify the firewall settings by opening "https://gatewayname/gsb/" and going to the firewall tab.

                 

                Remove 255.255.255.255 then save the settings.

                 

                Check.

                 

                3 - Check the brokerconfig settings on the client to ensure username and password are valid console users (old favourite).

                 

                Checked that allready.

                 

                4 - make sure you don't have DNS problems - just to make sure - you're resolving the LDMG to the right IP? (something you'll have to check based on your log, since you've X'ed it out) .

                 

                Checked that in an earlier stage. We had that problem, but not anymore. You can check by pinging landesk.mn-web.eu. It should ping to 193.173.16.

                 

                5 - Check the "brokerreq" folder for NTFS permissions on the Core. That may be causing you your problems (it would also hold up why the test works) - make sure the following groups have got access:

                 

                     

                • LANDesk Management Suite group -> Full rights

                     

                • ASP.Net (the ASPNET user) -> Full rights

                     

                • Launch IIS process account (the IWAM_YourCoreName) user. -> "Read & Execute", "List Folder Contents" and "Read" rights

                 

                 

                Checked. All mentioned users have above rights.

                 

                Mark

                • 5. Re: Vista BrokerConfig: Failed to retrieve certificate
                  Apprentice

                  Just when I posted my last reply, I made a succesful connection \o/

                   

                  The solution: makeing a new agent. I used an old agent in my lab. I think this agent was from before I implemented the LDMG.

                   

                  Thanks for your help Paul.

                   

                  Mark

                  • 6. Re: Vista BrokerConfig: Failed to retrieve certificate
                    Rookie

                    I am having similar issues:

                     

                    We get a failed to retreive certificate when trying to request from a laptop on the internet.

                     

                     

                    The last we were able to retrieve was on Friday.

                     

                     

                     

                     

                     

                     

                     

                     

                    Using brokerconfig.exe with the external ip and user and password.

                     

                     

                     

                     

                     

                    Test goes fine:

                     

                     

                    Cert gets created on core but does not get back to the workstation.

                     

                     

                     

                     

                     

                    8.8 core 8.7 iso gateway.

                    • 7. Re: Vista BrokerConfig: Failed to retrieve certificate
                      Apprentice

                      Works for us as long as we choose run as admin when we run brokerconfig.

                       

                      Of course, we run with UAC on, so I'm not sure if that affects it. 

                      • 8. Re: Vista BrokerConfig: Failed to retrieve certificate
                        Employee

                        Kevin,

                         

                        When you say the cert gets created on the core, do you mean in the managementsuite\brokerreq folder? Do you see a .crt file in there? If you do an iisreset on the core, does the first certificate request work, while subsequent requests fail?

                         

                        If so, there is a known issue that was addressed in SP1. Have you applied SP1 to the core server?