Strange one. We have an internet facing relay that uses the secure registration. The relay in question already has hundreds of clients connecting to it using the same clientsettings.cfg which has the ’ _BESClient_SecureRegistration entry and key with it.
However, when I run the installation exe on this particular machine I get these errors in the logs (see image).
Note, I have successfully removed the previous client using the BES Remove tool and verified that all the keys in registry are removed.
Please note that it is possible the existing Clients communicating with the Relay in question may already have authentication keys using non-Manual methods, so, that itself does not mean that the Relay’s manual authentication configuration is valid. It’s worth checking and validating the Relay’s config here per Manual key exchange
If using a single password, ensure that _BESRelay_Comm_KeyExchangePassword on the Relay matches the value in the clientsettings.cfg of the Client.
If using a list of one-time passwords, make sure that the KeyExchangePasswords file still has passwords remaining.
I’m pretty sure we are using a single password solution as they key doesn’t change in the clientsettings.cfg. That said though, I can’t find the _BESRelay_Comm_KeyExchangePassword key in the registry of the relay.
I see many other _BESRelay keys under
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BigFix\EnterpriseClient\Settings\Client but not _BESRelay_Comm_KeyExchangePassword
I do see a ‘StoragePath’ key under
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BigFix\Enterprise Server\GlobalOptions but the value of that is just the path to the BES Client installation directory in the OS.
To validate it, cross-check if the following client setting exists on your relays or not:
KeyExchangePasswords
You don’t need to manually check each relay unless you’re sure which ones are configured as authenticated relays. Instead, you can use the following retrieved properties in the BigFix Console to target only the relays that have authentication enabled:
(exists setting "_BESRelay_Comm_Authenticating" whose (value of it = "1") of client)
AND
if exists setting "_BESRelay_Comm_KeyExchangePassword" of client then value of setting "_BESRelay_Comm_KeyExchangePassword" of client else "N/A"
If these settings are missing on certain relays, it may indicate that:
The relay is not configured as an authenticated relay, or
The authentication-related settings/keys were removed or deleted.
If you confirm that a relay should be authenticated but is missing these keys, refer to the following knowledge base article for steps to reconfigure the relay as an authenticated relay:
Note:
When a client connects to the infrastructure for the first time using an authenticated relay, it undergoes the key exchange process.
However, once the client is registered successfully, it can connect to any relay — authenticated or not — unless:
The client is reset, or
Its key storage is deleted.
Hence to verify that your authenticated relay is functioning correctly, attempt to connect a freshly installed client that has not previously registered. If the client fails to register, it indicates that the authenticated relay setup is not working as expected.
However, there are scenarios where everything is configured correctly according to the documentation and best practices, yet some clients still fail to register. These cases often involve deeper environmental or network-related issues and are a separate topic for troubleshooting - I’ve encountered such situations myself, which is why I wanted to highlight it.
