Agent gets 401 Unauthorized error when trying to connect to beacon

thegedus · ‎Sep 06, 2022

Hello,

Some of our agents cannot contact their respective beacon after installations, and the following error messages are present in the logs:

installation.log:
Download failure: Error 0xE0500191: 401 Unauthorized - Authentication Required
Download FAILED for “https://[SERVER_NAME]/ManageSoft/Policies/Merged/_domain/Machine/[MACHINE_NAME].npl?machinename=[MACHINE_NAME]&ipaddress=[IP1],[IP2]”

policy.log:
Command “ndlaunch -r "$(DownloadRootURL)/Policies/Merged/Merged/_domain/Machine/[MACHINE_NAME].npl?machinename=[MACHINE_NAME]&ipaddress=[IP1],[IP2]” -o PkgType=Policy -o InstallProfile=Public -o "AllowedPkgTypes=Schedule" -o "SaveAllUserSymbols=False" -o "UILevel=Quiet"” returned exit code 1
ERROR: FlexNet Manager Platform installation agent cannot install the merged deployment policy

The example is a RedHat machine, and there are some AIX servers producing the same error. On the beacon servers, anonymous and windows authentication modes are enabled. System version is 2021 R1, agent version is 17.0.1.

I think this could be a confirugration issue, but I can't find what exactly could be the problem, as most of our agents are able to connect to the beacons.

Can you please help me, where to start?

Thanks,
thegedus

lajanakiram · ‎Sep 12, 2022

HI @thegedus ,

On the beacon machine, set as anonymous and also check if the required ports are open from Agent to beacon machine. Try wget or curl cmd from agent machine and see if you are able to download the policy from beacon machine.

ReshmaB · ‎Sep 13, 2022

Restart IIS after enable basic authentication . verify IIS logs for further information

ChrisG · ‎Sep 13, 2022

Does the URL noted in the installation.log file really start with "https://[SERVER_NAME]/ManageSoft/" as you've noted?

The reference to "ManageSoft" here should be "ManageSoftDL". If you are indeed seeing "ManageSoft" referenced then that would likely describe what you're seeing a failure. (Although I'd probably expect to see a 404 NOT FOUND error rather than 401 UNAUTHORIZED error...)

If you do see anonymous authentication enabled on the relevant virtual directory in IIS then it seems strange to get a 401 UNAUTHORIZED response when trying to access it. That might occur if there is some kind of web proxy between the agent and beacon that is requiring authentication.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

thegedus · ‎Sep 14, 2022

Hi Chris,

I looked again at the installation.log, it is indeed ManageSoft and not ManageSoftDL. When I tried to wget the same URL with ManageSoftDL, the request is successful, at least from my machine, we are yet to try from the endpoints in question.

In this case, it looks like something went off in an agent configuration. Do you happen to know which one we should check?

Thank you,
thegedus

ChrisG · ‎Sep 14, 2022

If this is affecting newly installed agents (that is, agents that have never successfully applied policy) then it's likely the "ManageSoft" value in the URL came from the bootstrap configuration specified in the mgsft_rollout_config file (on Unix-like operating systems) or mgssetup.ini file (on Windows) that was used to install the agent.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)