Logins fail when self signed certificate subject does not match the short host name of server

  • 7003139
  • 27-Apr-2009
  • 27-Apr-2012

Environment

Novell ZENworks 10 Configuration Management with Support Pack 1 - 10.1

Situation

After install or update to 10.1, if the subject name of the certificate is the server FQDN but the service name is the server short name, logins fail.
 
ERROR (from zmd-messages.log)
ZENGetAuthToken took exception: -939589597
 
and/or
 
ERROR (from zenlgn.log):
 
Could not find any available servers

Resolution


A fix for this issue is included in ZENworks 11, see KB 7006995 "ZENworks 11 - information and updates" which can be found at https://www.novell.com/support
 
Look at the subject of the server Certificate Authority  (for example: zenworks.mry.com).  Compare this to the zmd-messages.log (debug enabled) certificate being checked, for example:
 
Found certs for host zenworks
Subject in certificate is : CN=zenworks.mry.com, OU=ZENworks
 
Note in the above example, the short name is used for host but the FQDN (Fully Qualified Domain Name) is used in the certificate subject.
 
In this case, add the fully qualified domain name of the server in the ZCC Server properties "Additional DNS Names" field (found under server >Settings>Infrastructure Management) and refresh the devices.

Additional Information

This happens when, for example, a Windows ZCM server uses network settings advanced DNS properties to append DNS suffixes, but the install does not use that setting to generate a FQDN (Fully Qualified Domain Name) for the server during install.  In this case a warning will have occurred during install, and had been ignored.