none
MP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 403, Forbidden.

    Question

  • Hi all,

    I've got an error I've been trying to work through for a few days now, and I've run out of ideas. 

    This is my environment layout...

    SCCM is in Native Mode.  SCCM is in the production environment but does not have clients associated with it yet (clients will be migrated from SMS 2003 to this new SCCM environment in the near future).

    1 x SCCM Central Primary on Windows 2008 R2 (with SQL on a seperate server)

    1 x SCCM Child Primary on Windows 2008 R2 (with SQL on a seperate server)

    Every hour, the SMS_MP_CONTROL_MANAGER (on both Central Primary & Child Primary) throws an error.  The error is:

    MP Control Manager detected management point is not responding to HTTP requests.  The HTTP status code and text is 403, Forbidden.
    
    Possible cause: Management point encountered an error when connecting to SQL Server. 
    Solution: Verify that the SQL server is properly configured to allow Management Point access. Verify that management point computer account or the Management Point Database Connection Account is a member of SMS Management Point Role (msdbrole_MP) in the SQL Server database.
    
    Possible cause:  The SQL Server Service Principal Names (SPNs) are not registered correctly in Active Directory
    Solution:  Ensure SQL server SPNs are correctly registered.  Review Q829868.
    
    Possible cause: Internet Information Services (IIS) isn't configured to listen on the ports over which SMS is configured to communicate. 
    Solution: Verify that the designated Web Site is configured to use the same ports which SMS is configured to use.
    
    Possible cause: The designated Web Site is disabled in IIS. 
    Solution: Verify that the designated Web Site is enabled, and functioning properly.
    
    Possible cause: The SMS ISAPI Application Identity does not have the requisite logon privileges. 
    Solution: Verify that the account that the SMS ISAPI is configured to run under has not been denied batch logon rights through group policy.
    
    For more information, refer to Microsoft Knowledge Base article 838891.
    

     

    I have checked all the suggestions given by the error and they all appear ok.  The server(s) are in their respective msdbrole_MP roles, the SPN's are ok, IIS is running etc.

    When I look in the mpcontrol.log (on either the central primary or the child primary), I see these lines repeating over and over.  Example:

    Machine name is 'SCCM01.mydomain.local.
    CryptVerifyCertificateSignatureEx returned error 0x80090006.
    Certificate doesn't have "SSL Client Authentication" capabilities.
    Skipping certificate that is not valid for ConfigMgr usage.
    Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden
    Http test request failed, status code is 403, 'Forbidden'.
    STATMSG: ID=5436 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_MP_CONTROL_MANAGER" SYS=SCCM01 SITE=QLD PID=1692 TID=6404 GMTDATE=Mon Nov 07 01:48:24.707 2011 ISTR0="403" ISTR1="Forbidden" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
    Successfully performed Management Point availability check against local computer.

    If I look in the IIS logs, I see this error.

    2011-11-07 01:53:24 ::1 GET /SMS_MP/.sms_aut MPLIST 443 - ::1 SMS_MP_CONTROL_MANAGER 403 13 2148204812 50

    Now, from what I've been able to gather, in the IIS log - I'm seeing an HTTP 403.13 error (which is certificate revoked).  But all my certificates are ok, and they're not revoked. 

    Everything in SCCM seems to be working, but these errors are making my SMS_MP_CONTROL_MANAGER go into a critical state, and therefore it's triggering alerts in Operations Manager.

    Thanking you in advance for any assitance.

    Noel.


    http://www.dreamension.net
    Monday, November 07, 2011 1:59 AM

Answers

  • In this case, revoked doesn't necessarily mean reovcation in the PKI sense, it just means the server didn't like the client cert presented.

    How did you create your certs? From the error message above, it looks the certificate you issued does not contain client auth: "Certificate doesn't have "SSL Client Authentication" capabilities."


    Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys
    • Marked as answer by Sabrina Shen Wednesday, December 07, 2011 6:38 AM
    Monday, November 07, 2011 2:16 PM
    Moderator
  • Hey guys, I _finally_ fixed it.  After all that it was quiet simple.

    I double checked and triple checked the certificate templates and they were 100%.

    I don't know why I didn't see this before, but going back to the IIS logs - and looking at http error 403.13 - I followed that error to this KB: http://support.microsoft.com/kb/294305

    Where the first step is:

    1. Delete any duplicate client certificates (that is, client certificates that are issued from the same Certificate Authority) from the client browser.

    I went into the certificates snap-in on my management point, and there it was.  A duplicate client authentication certificate.  I deleted the duplicate, restarted my MP role - and it's working like a charm.

     

    Now I see nothing but this: 2011-12-08 07:15:19 ::1 GET /SMS_MP/.sms_aut MPLIST 443 - ::1 SMS_MP_CONTROL_MANAGER 200 0 0 46

    Which is a lot better than the 403 error.


    http://www.dreamension.net
    Thursday, December 08, 2011 7:35 AM

All replies

  • Is the CRL published to the expected CDPs? Is that resolvable/accessible from the MP? Has it also been recently published within the expected interval? That we our problem last time we had a 403.13 :(

    • Edited by fault Monday, November 07, 2011 11:41 AM
    Monday, November 07, 2011 11:40 AM
  • In this case, revoked doesn't necessarily mean reovcation in the PKI sense, it just means the server didn't like the client cert presented.

    How did you create your certs? From the error message above, it looks the certificate you issued does not contain client auth: "Certificate doesn't have "SSL Client Authentication" capabilities."


    Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys
    • Marked as answer by Sabrina Shen Wednesday, December 07, 2011 6:38 AM
    Monday, November 07, 2011 2:16 PM
    Moderator
  • @fault - yep, the CRL is resolveable and accessible from the MP - I can get to the published CRL and download it without any problem.

     

    @Jason - the certs were created by following the Native Mode procedure on technet, but I will double check them to be sure.  I'll post back the results and if we identify any further issues (or a resolution).

     

    Thanks guys.


    http://www.dreamension.net
    Monday, November 07, 2011 11:29 PM
  • Hey guys, I _finally_ fixed it.  After all that it was quiet simple.

    I double checked and triple checked the certificate templates and they were 100%.

    I don't know why I didn't see this before, but going back to the IIS logs - and looking at http error 403.13 - I followed that error to this KB: http://support.microsoft.com/kb/294305

    Where the first step is:

    1. Delete any duplicate client certificates (that is, client certificates that are issued from the same Certificate Authority) from the client browser.

    I went into the certificates snap-in on my management point, and there it was.  A duplicate client authentication certificate.  I deleted the duplicate, restarted my MP role - and it's working like a charm.

     

    Now I see nothing but this: 2011-12-08 07:15:19 ::1 GET /SMS_MP/.sms_aut MPLIST 443 - ::1 SMS_MP_CONTROL_MANAGER 200 0 0 46

    Which is a lot better than the 403 error.


    http://www.dreamension.net
    Thursday, December 08, 2011 7:35 AM