Overview:
When attempting to run a vulnerability scan, the scan will fail. On the Windows agent, if running in verbose, you'll see the scan hang on Verifying Device ID with the core. If you browse the logs on the clients, either Mac or Windows, you'll see some 403 error codes similar to the example below.
Action SOAPAction: "http://tempuri.org/ResolveDeviceID" failed, socket error: 0, SOAPCLIENT_ERROR: 5. Status code: 403, fault string: Retrying in 2 seconds...
On the Core, you may see "certificate not presented" for the agent you requested the security scan.
Cause
With Enhanced Client Security, it's imperative to have a clean certificate store on the local device for IIS. Having a non-self-signed certificate in the Trusted Root Certification Authority will cause issues. The installer will prompt you to remove bad certificates prior to proceeding with the install, but if you have a GPO that may restore the bad certificate. For more information regarding this issue, see https://help.ivanti.com/docs/help/en_US/LDMS/10.0/default.htm#cshid=RootCertificateConfiguration
More detailed information related to certificate troubleshooting is available here:
About Vulscan and SSL Verification
Validation
If you're having an issue with security scans and want to test a potential bad certificate:
- Open Internet Information Services (IIS) Manager
- Expand the Sites and click on the WSVulnerabilityCore application.
- Open SSL Settings and set Client Certificates to 'Ignore' (default is 'Accept').
- If the scan works, that is indicative of the problem. Leaving the configuration at Ignore is NOT recommended and could compromise the Enhanced Client Security. This is just to test to see if a bad certificate is the cause.
Fix
- Launch certmgr.msc on the Ivanti Endpoint Manager Core Server
- Expand Trusted Root Certification Authorities
- Click on the Certificates sub folder and review the certificates in the store, paying particular attention to the Issued By category. Look for certificates that are not signed by the server itself or by a certificate provider and remove them.
On some systems(Core Servers) it may be necessary to change the following registry keys that affect how certificates are trusted:
Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL, Value name: ClientAuthTrustMode, Value type: REG_DWORD, Value data: 2
Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL Value name: SendTrustedIssuerList Value type: REG_DWORD Value data: 0 (False, or delete this key entirely)
For additional information, see Ivanti's article https://help.landesk.com/docs/help/en_US/LDMS/10.0/default.htm#cshid=RootCertificateConfiguration or Microsoft's article https://support.microsoft.com/en-us/kb/2802568