Sometimes after restoring an AppSense database and/or rebuilding an AppSense server, you might notice you can’t push agents (Client Communications Agent/CCA, Environment Manager Agent, etc.) to clients and it will give you an error in the Management Console. The Status field will say:
No client access credentials have been specified. Please enter credentials before retrying to to Poll the client.
and under the Client Access Log, you can see more details on the error:
Could not use credential: "DOMAIN\UserID", error: Password decryption failed, error: [Unable to access the Master Key on the server, error was Keyset does not exist.]
In a pinch, you can manually install the agents on the client and they will start checking in but you are still going to get these error messages in the Management Console:
When you go to “Client Access Credentials”, you will get prompted with the following error message:
DataAccessServices.CryptoManager+MasterKeyAccessException: Unable to access the Master Key on the server, error was Keyset does not exist
If you hit OK and attempt to enter the missing credentials, the AppSense Management Console will crash on you. As in the entire MMC will crash and disappear. Don’t worry, this is an easy fix.
1. Go to Start > All Programs > AppSense > Management Center > AppSense Management Server Configuration
2. The Encryption field will likely be red. Just click it and you will see the Encryption Key Status is “Not Valid”. The Transfer Key may also say “Not Present”:
3. Go ahead and click the “Regenerate” button. It will warn you asking “Are you sure that you want to replace the current master key hash? A new master key hash will be regenerated”. Go ahead and click OK:
4. Now click “Store” for the Transfer Key. It will ask you to enter a new Transfer Key Password. Go ahead and type it in and press OK. One thing to note, if you are load balancing the Management Server and it says the Transfer Key is “Present”, do not click Store and enter a new one. Instead just click Retrieve and type the password when prompted. If you are load balancing and it doesn’t have the Transfer Key present, use Store on the first server and when performing these steps on the second server, use Retrieve:
5. Now your Encryption settings should look something like this. Encryption key is “Valid” and Transfer Key is “Present”:
6. Now open up the Management Console again and you should should be able to add credentials under Client Access Credentials. You might even see the old user name and password in there. You will have to re-enter the password on it though:
7. Now go back to your Deployment Group and find your client machine. Click “Poll Now” and it should successfully poll impersonating using the credential you entered.
Jason Samuel is a visionary product leader and trusted advisor with a proven track record of shaping strategy and driving technology innovation. With extensive expertise in enterprise end-user computing, security, cloud, automation, and virtualization technologies, Jason has become a globally recognized authority in the IT industry. His career spans consulting for hundreds of Fortune 500 enterprises across diverse business sectors worldwide, delivering cutting-edge digital solutions from Citrix, Microsoft, VMware, Amazon, Google, and NVIDIA that seamlessly balance security with exceptional user experiences.
Jason’s leadership is amplified by his dedication to knowledge-sharing as an author, speaker, podcaster, and mentor within the global IT and technology community. Recognized with numerous prestigious awards, Jason’s contributions underscore his commitment to advancing technology and empowering organizations to achieve transformative results. Follow him on LinkedIn.
Mark
March 18, 2013 at 12:28 PM
I’m having this same issue. I followed your instructions and it now shows Valid and Present, however I’m still getting the error. It’s driving me nuts trying to figure this one out.
Jason Samuel
March 19, 2013 at 4:23 PM
@Mark
Mike filled me in on what was going on. Wish I could help you but sounds like something unique in that particular setup. I’d like to know the answer once you figure it out. 🙂
Mark
March 22, 2013 at 2:20 PM
Fixed it. It helps when you REALLY DO have Domain Admin rights when installing haha.