In part 2 we introduced the Server components used in Provisioning, including some key items to be aware of. In this installment we'll cover troubleshooting the server components in a symptom - cause - resolution format. The methodology should also allow help you understand how these components work for further troubleshooting efforts, or for simply understanding how the data is moving through the Provisioning process. This specific article covers the Console and the common errors that can appear.
Once the server components are installed, and the AMT systems are in a correct Setup Mode, one must access the Provisioning Console to manage the Provisioning process. This console is located in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning. This part of the series covers errors in the console, specifically to common errors scene after the installation has taken place. These errors can also surface due to environmental changes in the infrastructure.
This section lists all the symptoms covered in this article. Use this list to guide you if you are working on a specific issue.
Provisioning Console Access Forbidden - Generally this is a 403 error on most of the Altiris Console Provisioning Nodes
Provisioning Console Connection Closed - All the Provisioning Nodes show an error that the underlining connection was closed
Provisioning Console User Not Authorized - This error relates to the access rights to the actual Provision Nodes, and can happen even if a user is an Altiris Administrator
Provisioning Console Timeouts - We've seen timeouts occur in the console, when accessing the Intel AMT Systems list
Provisioning Console Access Forbidden
When accessing the Provisioning Console, the following error is thrown:
The request failed with HTTP status 403: Forbidden
When installing Intel SCS, the manual install defaults to HTTPS, using TLS for secure communication. If the environment is not setup for TLS/HTTPS, the Altiris Provisioning Console will be unable to authenticate to Intel SCS, throwing this error.
On the Notification Server where Intel SCS is installed, open up IIS Manager.
Browse down into the Default Web Site and select AMTSCS.
Right-click on AMTSCS and choose Properties.
Select the Directory Security tab.
Click the Edit button under the Secure communications section.
Uncheck the box labeled ‘Require secure channel (SSL).
Click Apply and then OK.
Provisioning Console Connection Closed
The error ‘The Host Name cannot be resolved', or ‘ the remote connection was closed' appear when accessing the Provisioning Console.
The problem can also be seen when using the Test functionality on the DNS Configuration node. It may show a failed to obtain IP message.
When our Console tries to resolve the name to the Intel SCS Server (even when Altiris and SCS are on the same server) it fails and one of these errors are thrown. The difference can be in the perceived FQDN for the Server. Altiris is attempting to acquire the right IP address so it can communicate with SCS.
There are two ways to fix this if a reinstallation does not correctly set the SCS identity within Altiris.
LMHOSTS or HOSTS files - We can update one or both of these files to contain the FQDN we're using to try and translate the IP Address. The difficult part is finding out what Altiris is attempting to connect to. Use the process below to find out what it is looking for:
See Part 1 concerning the use of OOB trace logging and Debug View.
Enable trace logging in OOB and launch dbgview.exe.
Try to access the console and produce the error.
Stop trace logging.
This is the difficult part. Normally I scan through the log looking for the host name of the server. Usually this shows up as part of an FQDN. One example of this is Altiris called Servername.domain, which did not respond, but Servername.domain.com was a valid name.
Do a Search for the Host Name of the system (Not FQDN as it may not be using the valid one). For example, MyServer.
Once complete, access the file named lmhosts (no extension). Place a line in the file with the Server IP Address and invalid name:
Whatever invalid name was located in step 5, the above sequence can be used to give the computer the correct IP Address resolution. This resolves the issue. However there may be other steps needed. If this doesn't resolve the issue, continue to step 8.
Access the Service Location node in the Provisioning Console.
Change the option to ‘Alternate URL:'.
Specify a new location changing the name to one that resolves, for example:
Click Apply to save the changes.
The difficult part in this process is locating what Altiris believe the name of the Intel SCS Server is. Since Altiris and SCS are not integrated, they do not have a mechanism that shows if they are on the same server or not. This is why this issue surfaced.
Provisioning Console User Not Authorized
After installation or after credential changes the typical error structure appears with the message:
Current User can't view this page.
Current user can't change settings on this page.
Note that the error does not have the Red error typically associated with other console errors.
After installation only the user who conducted the Intel SCS install has rights to the console nodes. Until other users are added, only this user (usually the Notification Server Application identity) has rights to these nodes. Notification Server role and scope security does not apply to the populating of the data to the right of these nodes (although it does control access to actually showing the nodes themselves in the left-hand tree).
Follow these steps to give the necessary users rights to the Provision Console nodes:
Log into the Altiris Console as the Notification Server Application Identity, or the user used to manually install Intel SCS (one of these will usually be the authorized user).
Access the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > Users.
Note the users who already have rights.
Click the blue + icon to add a user.
Click the ... browse icon to see a typical Notification Server Domain user and groups search window.
Add a group or user and click OK.
Under the Role: give Enterprise Administrator rights unless you want to limit which nodes are operable.
Click OK to complete adding the user.
If no user can access these nodes, the Intel SCS installation needs to be run again under the correct user. Run through these steps to complete this:
Log onto the Notification Server directly (or with the /console switch if you're using Remote Desktop) with the NS Application Identity.
In Add/Remove Programs, locate ‘Intel® Active Management Technology Setup and Configuration Service and remove it.
On the Notification Server, browse to install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS\.
Launch the file AMTConfServer.exe and walk through the install. Be sure to use the Application Identity as the credentials for SCS.
When prompted for the database credentials, if permissible use the Application Identity.
Once completed log into the Altiris Console with the Notification Server Application Identity, then move back to step 1 of the previous sequence to add other users as necessary.
Provisioning Console Timeouts
Even in small environments we've seen timeouts on the Intel AMT Systems node, and much less frequently on the other nodes. The timeout throws a .NET error and the page is replaced by a timeout error.
The cause is not known at this time. The timeouts do not seem to occur always at particularly busy times for the Notification Server, so it is difficult to know what causes them. When there are plenty of resources available the timeouts generally do not occur, though if the server is extremely busy it doesn't always occur. It appears to be caused by varying factors.
A refresh after the timeout error often loads the page just fine. This suggests the loading the page gets into a loop or hung state, instead of a true processing timeout issue.
No full resolution is known at this time, but a few items can help minimize the impact of the issue.
Remote Consoles - We've seen remote consoles perform better than having the console loaded directly on the Notification Server
Refresh - Normally the timeouts occur without loading any of the frames within the page. If you click on the link or hit the refresh for the Intel AMT Systems page and no frames load within a minute, refresh the page. Often when the page is refreshed it then loads correctly, even quickly.
Once the console has been restored, the Provisioning process can be configured and initiated. Because of the all or nothing nature of most of these issues, they must be overcome before even being able to properly setup and configure Intel SCS for the Provisioning process. The above resolutions cover the methods used to resolve these issues at multiple sites.