Highlighted
Saget25
New Member.
2139 views

Problem with agents after Certificate Remint Zenworks 20172a

We had to do a certificate Remint for one of our Zenworks Servers that had an old certificate (for some reason it was older that the 2nd primary and the satellite)

And now that the certificate have been deployed, the agents can't seem to connect properly.

Something about a user source being not available. I looked and everything is good in ZCC.

The certificates are also deployed on the workstations.

I tried zac unr / zac reg and still no luck.

Any idea ?
Labels (1)
0 Likes
14 Replies
Micro Focus Expert
Micro Focus Expert

Re: Problem with agents after Certificate Remint Zenworks 20

An SR would likely be best....
Assuming you have multiple primaries...not sure how changing the cert on one would break devices since they should fail over to the other.
Now...If the CA was re-mint, that could have a huge trust issue....but re-registering should fix that...............

The New Cert may be totally unrelated to the current issue.....
0 Likes
Saget25
New Member.

Re: Problem with agents after Certificate Remint Zenworks 20

Hi Craig,

A rereg, zac unr, zac reg, zac cc, agent uninstall/reinstall didn't fixed the problem.
We are still experiencing problem. No agents are able to communicate with ZCM

[DEBUG] [08/27/2018 14:16:36.466] [2080] [ZenworksWindowsService] [31] [] [RemotingService] [] [Break from inner loop] [] [] [] [ZENworks Agent]
[DEBUG] [08/27/2018 14:16:36.466] [2080] [ZenworksWindowsService] [31] [] [RemotingService] [] [Invalid Credentials - break from main loop] [] [] [] [ZENworks Agent]
[DEBUG] [08/27/2018 14:16:36.466] [2080] [ZenworksWindowsService] [31] [] [RemotingService] [] [Calling DeleteCredential for realm: CALP] [] [] [] [ZENworks Agent]
[DEBUG] [08/27/2018 14:16:36.466] [2080] [ZenworksWindowsService] [31] [] [ZenCasa] [] [DeleteCredentials entered] [] [] [] [ZENworks Agent]
[DEBUG] [08/27/2018 14:16:36.466] [2080] [ZenworksWindowsService] [31] [] [ZenCasa] [] [DeleteCredentials returned] [] [] [] [ZENworks Agent]
[DEBUG] [08/27/2018 14:16:36.466] [2080] [ZenworksWindowsService] [31] [] [RemotingService] [] [ZENSetSessionAuthenticationState entered] [] [] [] [ZENworks Agent]
[DEBUG] [08/27/2018 14:16:36.466] [2080] [ZenworksWindowsService] [31] [] [RemotingService] [] [ZENSetSessionAuthenticationState returning SUCCESS] [] [] [] [ZENworks Agent]
[DEBUG] [08/27/2018 14:16:36.466] [2080] [ZenworksWindowsService] [31] [] [AuditLogger] [] [GetAuditXMLBlob returned: <UserData><zOps>UserLogin</zOps><zusername>myUserName</zusername><status>Failed</status><errcode>6</errcode><realm>ourTree</realm><localuser>myUserName</localuser></UserData>] [] [] [] [ZENworks Agent]
[DEBUG] [08/27/2018 14:16:36.481] [2080] [ZenworksWindowsService] [31] [] [RemotingService] [] [Tear down Secret Store] [] [] [] [ZENworks Agent]
[DEBUG] [08/27/2018 14:16:36.481] [2080] [ZenworksWindowsService] [31] [] [RemotingService] [] [ZENLogin returning WRONG_CREDENTIALS] [] [] [] [ZENworks Agent]


I have an SR opened but checking here if someone already had this problem 😉
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Problem with agents after Certificate Remint Zenworks 20

Please Post your SR# here send it via Private Message.......
0 Likes
Saget25
New Member.

Re: Problem with agents after Certificate Remint Zenworks 20

I sent you the SR Number ! 🙂
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Problem with agents after Certificate Remint Zenworks 20

anto28;2486419 wrote:
I sent you the SR Number ! 🙂


Thanks for the SR#
0 Likes
Saget25
New Member.

Re: Problem with agents after Certificate Remint Zenworks 20

Also if this can help to narrow down the problem.

The certificate Remint task was started while we were running Zenworks 2017 Update 1, Then while the task was deploying the new certificate soon to be applied, we upgraded to Zenworks 2017 Update 2a then the new certificate took place.

Now if we check the cert's info on the workstations, everything is fine and the expiration date is due 2028-07-11 15:45:16

I know this should work even if there is a deployment in progress... but in case of a bug...

Is this migration could have affected how the remint process would normally work ?

Thank you !
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Problem with agents after Certificate Remint Zenworks 20

Not sure if that had an impact but...…

The one issue is that the stated goal was to remint the server certificate on one server.
What happened is that the Certificate Authority was Re-minted which is a drastically different event.

When a Server Cert is updated there is no need for any change to occur on the managed devices.
They already trust the Certificate Authority and when the server presents its new certificate, they trust it because it was issued by a CA they trust.

In this case, the Certificate Authority was reminted forcing the creation of new certs for all servers as well as needing to push a trust to all managed devices.
Also there needs to be some additional backend stuff that occurs on the servers when this happens.

Reminting a Server Cert is generally a very safe process...especially if there are multiple primaries devices can reconnect to if anything does go wrong.
Reminting or Changing the Certificate Authority contains significant more risk...…

In regards to your SR.....I've made sure multiple folks were looped made aware of it, so they should hopefully make quick progress......
0 Likes
Saget25
New Member.

Re: Problem with agents after Certificate Remint Zenworks 20

Thanks for the information you shared.

Then i'll wait for the engineer in charge of the SR to see if they have something new.

I'll post the solution here when everything is back to normal 😉
0 Likes
Saget25
New Member.

Re: Problem with agents after Certificate Remint Zenworks 20

Hi,

So here is the problem :

For some reason it seems that the satellite server didn't have the proper certificate to communicate with the user source.

In the certificate everything looked fine according to the GUI, but something might have been wrong underlying.

What the engineer first idea was to do a remint on the satellite, what we did then finally he had another better idea to speed up things and it was to demote the authentication role of the satellite then add it back again which had the effect to fix the certificate problem between the servers.

Then we needed to add it back to the location and then do a zman lrr -f on the primary server to force a location rule update.

Then after that all workstation that had a problem started working without a refresh or anything.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Problem with agents after Certificate Remint Zenworks 20

Thanks for Update!
0 Likes
Saget25
New Member.

Re: Problem with agents after Certificate Remint Zenworks 20

Just letting you know guys that the fix that worked last week ( remove and add the satellite auth role ) stopped working this morning.

So there might be some process underneath that broke the sat auth role. it worked for 1 week.

Maybe there is some replication that overided things?!?

Letting you know as soon as i know more.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Problem with agents after Certificate Remint Zenworks 20

If the Satellite Server is a Windows Server..........

Look for (There may be Desktop Versions Too if using those for your satellites..)

optional updates fixes related to KB4338818, KB4338821 for 2008 R2 Release
July 18
optional updates fixes related to KB4338815, KB4338831 for 2012 R2 Released
July 18

MS put out some bad patches that caused some issues....
If you have KB4338818 & KB4338815 but not the fixes for those "Fixes".....
Get the updated fixes applied and then reconfigure your sat server one more time if the MS patching does not help by itself.
0 Likes
Saget25
New Member.

Re: Problem with agents after Certificate Remint Zenworks 20

CRAIGDWILSON;2487669 wrote:
If the Satellite Server is a Windows Server..........

Look for (There may be Desktop Versions Too if using those for your satellites..)

optional updates fixes related to KB4338818, KB4338821 for 2008 R2 Release
July 18
optional updates fixes related to KB4338815, KB4338831 for 2012 R2 Released
July 18

MS put out some bad patches that caused some issues....
If you have KB4338818 & KB4338815 but not the fixes for those "Fixes".....
Get the updated fixes applied and then reconfigure your sat server one more time if the MS patching does not help by itself.


Hi Craig ! Thank you for your input 😉

We are running the sat on a SLES 12 SP2 Server.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Problem with agents after Certificate Remint Zenworks 20

There is a less common issue fixed in 17.3 where the auth services could break on refresh...
It is actually a long standing issue going back to at least the 11.4.x days, but is quite uncommon....most customers never saw the issue.
In short. on refresh there was some unnecessary stuff being done and any time there are changes....something can always go wrong regardless of how remote...
In 17.3, those events on refresh were limited to when there were actual changes....which should be very rare....

So it is possible you just got unlucky by getting bit randomly in short order by a very rare issue and that will likely never happen again....or there could be something else going on...
Try redoing what you did last time and just monitor for now....


The MS Patch above caused frequent wide-spread issues the last few months...........which is why I pointed that out 1st...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.