Environment
Novell ZENworks 11 Configuration Management
Novell ZENworks 10 Configuration Management with Support Pack 2 - 10.2 Remote ManagementSituation
ERROR (dialogue on ZCC when attempting to remote control a device):
"The managed device was unable to initialize Novell Encryption scheme for the session. Ensure that the managed device is UTC time synchronized with this system. If the problem persists, contact Novell Technical Services.The managed device was unable to initialize Novell Encryption scheme for the session. Ensure that the managed device is UTC time synchronized with this system. If the problem persists, contact Novell Technical Services."
ERROR: (from zmd-messages.log):
[DEBUG] [07/08/2009 18:15:45.000] [4564] [nzrWinVNC] [4556] [] [Remote Management] [] [vncProperties.cpp: Failed to read certificate value from registry. Error: 2] [] []
[DEBUG] [07/08/2009 18:15:45.000] [4564] [nzrWinVNC] [4556] [] [Remote Management] [] [vncProperties.cpp: Failed to read key value from registry. Error: 2] [] []
[DEBUG] [07/08/2009 18:15:45.000] [4564] [nzrWinVNC] [4556] [] [Remote Management] [] [vncProperties.cpp: Failed to read CA certificate value from registry. Error: 2] [] []
[DEBUG] [07/08/2009 18:15:45.000] [4564] [nzrWinVNC] [4556] [] [Remote Management] [] [vncProperties.cpp: Failed to read key value from registry. Error: 2] [] []
[DEBUG] [07/08/2009 18:15:45.000] [4564] [nzrWinVNC] [4556] [] [Remote Management] [] [vncProperties.cpp: Failed to read CA certificate value from registry. Error: 2] [] []
ERROR: (from WinVNC.log):
vncTunnelNovell.cpp: Failed to get CA subject. Error = 0.
Error 11.x (from WinVNC.log) when caSubject is invalid:
[ 09/28/11 17:08:01 PM ]SSL_accept returned '-1'. Error: '1'. Error message: no certificate returned.
[ 09/28/11 17:08:02 PM ]<RMMessage>
<MessageID>The managed device was unable to initialize Novell encryption scheme for the session. Ensure that the managed device is UTC time synchronized with this system. If the problem persists, contact Novell Technical Services.</MessageID>
</RMMessage>[ 09/28/11 17:08:02 PM ].\vncServer.cpp: RMPolicy:: Error: Could not read Console User Name from registry
[ 09/28/11 17:08:02 PM ]<RMMessage>
<MessageID>The managed device was unable to initialize Novell encryption scheme for the session. Ensure that the managed device is UTC time synchronized with this system. If the problem persists, contact Novell Technical Services.</MessageID>
</RMMessage>[ 09/28/11 17:08:02 PM ].\vncServer.cpp: RMPolicy:: Error: Could not read Console User Name from registry
Error 11.x (from WinVNC.log) when caSubject is missing key:
[ 09/28/11 17:16:42 PM ]Novell Encryption: No CA certificate found to initialize encryption.
[ 09/28/11 17:16:42 PM ]<RMMessage>
<MessageID>The managed device was unable to initialize Novell encryption scheme for the session. Ensure that the managed device is UTC time synchronized with this system. If the problem persists, contact Novell Technical Services.</MessageID>
</RMMessage>[ 09/28/11 17:16:42 PM ].\vncServer.cpp: RMPolicy:: Error: Could not read Console User Name from registry .
[ 09/28/11 17:16:42 PM ]<RMMessage>
<MessageID>The managed device was unable to initialize Novell encryption scheme for the session. Ensure that the managed device is UTC time synchronized with this system. If the problem persists, contact Novell Technical Services.</MessageID>
</RMMessage>[ 09/28/11 17:16:42 PM ].\vncServer.cpp: RMPolicy:: Error: Could not read Console User Name from registry .
Resolution
In addition to confirming time synchronization (see KB 3254631), check the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Zenworks\CASubject
in 10.3 and above:
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\ZCM\CASubject
on x64 devices:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Novell\ZCM\
that the key/value are present and that the value is correct (same as the subject in the CA of the ZENworks server), that it matches the ZEN server CA in certmgr.msc trusted root store on the device, and that the validity dates agree with the agent device current date.
Note: this registry key is populated during zac reg and depopulated during zen unr.
Additional Information
Note whether the error in the log files include standard Windows error, for example Error: 2 which is ERROR_FILE_NOT_FOUND .
In the case where the registry entry exists, but the name is not in agreement with the certificate entered in the certificate manager, the error does not include a Windows error:
(from zmd-messages.log):
[DEBUG] [07/08/2009 20:07:02.000] [7628] [nzrWinVNC] [7460] [] [Remote Management] [] [Novell Encryption: No CA certificate found to initialize encryption.] [] []
[DEBUG] [07/08/2009 20:07:02.000] [7628] [nzrWinVNC] [7460] [] [Remote Management] [] [<RMMessage><MessageID>The managed device was unable to initialize Novell encryption scheme for the session. Ensure that the managed device is UTC time synchronized with this system. If the problem persists, contact Novell Technical Services.</MessageID></RMMessage>] [] []
[DEBUG] [07/08/2009 20:07:02.000] [7628] [nzrWinVNC] [7460] [] [Remote Management] [] [vncServer.cpp: RMPolicy:: Error: Could not read Console User Name from registry.] [] []
[DEBUG] [07/08/2009 20:07:02.000] [7628] [nzrWinVNC] [7460] [] [Remote Management] [] [vncServer.cpp: removing unauthorised client] [] []
[DEBUG] [07/08/2009 20:07:02.000] [7628] [nzrWinVNC] [7460] [] [Remote Management] [] [<RMMessage><MessageID>The managed device was unable to initialize Novell encryption scheme for the session. Ensure that the managed device is UTC time synchronized with this system. If the problem persists, contact Novell Technical Services.</MessageID></RMMessage>] [] []
[DEBUG] [07/08/2009 20:07:02.000] [7628] [nzrWinVNC] [7460] [] [Remote Management] [] [vncServer.cpp: RMPolicy:: Error: Could not read Console User Name from registry.] [] []
[DEBUG] [07/08/2009 20:07:02.000] [7628] [nzrWinVNC] [7460] [] [Remote Management] [] [vncServer.cpp: removing unauthorised client] [] []