locked
MP Control Manager detected management point is not responding to HTTP requests RRS feed

  • Question

  • Hi All

    I have an SCCM 2012 SP1 Server in HTTPS mode  that has been working fine for about a month until yesterday when the following error cropped up.

    MP Control Manager detected management point is not responding to HTTP requests.  The HTTP status code and text is 403, Forbidden.

    Digging around forums etc and running through the suggested fixes has not made any difference. I have been looking through the mpcontrol.log and comparing yesterdays to todays. Here is a sample from yesterday :-

    /////////////////

    SSL is enabled. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8316 (0x207C)
    Client authentication is also enabled. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8316 (0x207C)
    CRL Checking is also enabled. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8316 (0x207C)
    Machine name is 'TRSCCM2012.fal.ac.uk'. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8316 (0x207C)
    Begin validation of Certificate [Thumbprint 7cac016fa1efdb476dc182e2c2878364838e678a] issued to 'TRSCCM2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8316 (0x207C)
    Certificate doesn't have EKU, meaning good for all usages. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8316 (0x207C)
    Completed validation of Certificate [Thumbprint 7cac016fa1efdb476dc182e2c2878364838e678a] issued to 'TRSCCM2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8316 (0x207C)
    Begin validation of Certificate [Thumbprint 67fca8d1ae3b7eda074ef065f69821f2877fa1e2] issued to 'TRSCCM2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8316 (0x207C)
    Completed validation of Certificate [Thumbprint 67fca8d1ae3b7eda074ef065f69821f2877fa1e2] issued to 'TRSCCM2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8316 (0x207C)
    Skipping this certificate which is not valid for ConfigMgr usage. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8316 (0x207C)
    >>> Selected Certificate [Thumbprint 7cac016fa1efdb476dc182e2c2878364838e678a] issued to 'TRSCCM2012.fal.ac.uk' for HTTPS Client Authentication SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8316 (0x207C)
    Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8316 (0x207C)
    Sent summary record of SMS Management Point on ["Display=\\TRSCCM2012.fal.ac.uk\"]MSWNET:["SMS_SITE=FXP"]\\TRSCCM2012.fal.ac.uk\ to \\TRSCCM2012.fal.ac.uk\SMS_FXP\inboxes\sitestat.box\nrf80qao.SUM, Availability 0, 52551676 KB total disk space , 50052188 KB free disk space, installation state 0. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8316 (0x207C)
    Http test request succeeded. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8316 (0x207C)
    Successfully performed Management Point availability check against local computer. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8316 (0x207C)

    ///////////////

    And then a sample from today

    //////////////

    SSL is enabled. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Client authentication is also enabled. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    CRL Checking is also enabled. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Machine name is 'TRSCCM2012.fal.ac.uk'. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Begin validation of Certificate [Thumbprint 7cac016fa1efdb476dc182e2c2878364838e678a] issued to 'TRSCCM2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Certificate doesn't have EKU, meaning good for all usages. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Completed validation of Certificate [Thumbprint 7cac016fa1efdb476dc182e2c2878364838e678a] issued to 'TRSCCM2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Begin validation of Certificate [Thumbprint 67fca8d1ae3b7eda074ef065f69821f2877fa1e2] issued to 'TRSCCM2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Completed validation of Certificate [Thumbprint 67fca8d1ae3b7eda074ef065f69821f2877fa1e2] issued to 'TRSCCM2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Skipping this certificate which is not valid for ConfigMgr usage. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    >>> Selected Certificate [Thumbprint 7cac016fa1efdb476dc182e2c2878364838e678a] issued to 'TRSCCM2012.fal.ac.uk' for HTTPS Client Authentication SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Sent summary record of SMS Management Point on ["Display=\\TRSCCM2012.fal.ac.uk\"]MSWNET:["SMS_SITE=FXP"]\\TRSCCM2012.fal.ac.uk\ to \\TRSCCM2012.fal.ac.uk\SMS_FXP\inboxes\sitestat.box\r1vrc829.SUM, Availability 1, 52551676 KB total disk space , 50078840 KB free disk space, installation state 0. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Http test request failed, status code is 403, 'Forbidden'. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Successfully performed Management Point availability check against local computer. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0) 

    //////////////

    I cant really see any difference, the only thing I did was reboot the server so I assume a change I had made did not cause this issue to crop up until I rebooted the server. Another thing to note is that the two certificates it is trying to validate against are the ConfigMgr SQL Server Identification Certificate and the SCUP Signing Certificate. For some reason it is not even trying to use the SCCM Client Authentication certificate.

    Any help will be greatly appreciated


    • Edited by AWeaver Tuesday, July 9, 2013 10:12 AM
    Tuesday, July 9, 2013 9:45 AM

Answers

  • Hi again All

    Just though i would update this post in case anyone else encountered the same problem. I found this KB

    http://support.microsoft.com/kb/2802568

    It would appear that when i was setting up SCUP and distributed the Certificate to Trusted Publishers and Trusted Root Certification Authorities and then rebooted a week later the non self signed SCUP certificate in trusted root certification authorities caused a bug that no longer trusted any certificates. 

    As soon as  i deleted this certificate and rebooted the server everything was fine again.

    • Marked as answer by AWeaver Thursday, July 11, 2013 7:51 AM
    Thursday, July 11, 2013 7:51 AM

All replies

  • OK so i tried deleting the scup certificate to see wha tthe MP would try to use to authenticate and here is what happened

    ///////////////////

    SSL is enabled. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Client authentication is also enabled. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    CRL Checking is also enabled. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Machine name is 'TRSCCM2012.fal.ac.uk'. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Begin validation of Certificate [Thumbprint 67fca8d1ae3b7eda074ef065f69821f2877fa1e2] issued to 'TRSCCM2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Completed validation of Certificate [Thumbprint 67fca8d1ae3b7eda074ef065f69821f2877fa1e2] issued to 'TRSCCM2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Skipping this certificate which is not valid for ConfigMgr usage. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    There are no certificate(s) that meet the criteria. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Performing machine FQDN to SAN2 search. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Begin validation of Certificate [Thumbprint e420dc0860b08d1655b98579c5791def4f26b23f] issued to 'TRSCCM2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Certificate has "SSL Client Authentication" capability. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Completed validation of Certificate [Thumbprint e420dc0860b08d1655b98579c5791def4f26b23f] issued to 'TRSCCM2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Begin validation of Certificate [Thumbprint a982e18547be91738e49a86a0850985c83838532] issued to 'TRSCCM2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Certificate has "SSL Client Authentication" capability. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Completed validation of Certificate [Thumbprint a982e18547be91738e49a86a0850985c83838532] issued to 'TRSCCM2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Certificate doesn't have SAN2 extension. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Begin validation of Certificate [Thumbprint 67fca8d1ae3b7eda074ef065f69821f2877fa1e2] issued to 'TRSCCM2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Completed validation of Certificate [Thumbprint 67fca8d1ae3b7eda074ef065f69821f2877fa1e2] issued to 'TRSCCM2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Begin validation of Certificate [Thumbprint 41ee30dac76f49fe0bc2d2c3c1c39bacb73b62f0] issued to 'trsccm2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Certificate doesn't have "SSL Client Authentication" capabilities. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Completed validation of Certificate [Thumbprint 41ee30dac76f49fe0bc2d2c3c1c39bacb73b62f0] issued to 'trsccm2012.fal.ac.uk' SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    >>> Selected Certificate [Thumbprint a982e18547be91738e49a86a0850985c83838532] issued to 'TRSCCM2012.fal.ac.uk' for HTTPS Client Authentication SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Sent summary record of SMS Management Point on ["Display=\\TRSCCM2012.fal.ac.uk\"]MSWNET:["SMS_SITE=FXP"]\\TRSCCM2012.fal.ac.uk\ to \\TRSCCM2012.fal.ac.uk\SMS_FXP\inboxes\sitestat.box\cy358c1f.SUM, Availability 1, 52551676 KB total disk space , 50075660 KB free disk space, installation state 0. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Http test request failed, status code is 403, 'Forbidden'. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Successfully performed Management Point availability check against local computer. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)

    ///////////////

    then when i put the scup certificate back in it reverted to using it and never even looked at the SCCM Client certificate. What i dont understand is why SCCM only attempts to connect to the MP using the SQL and SCUP certificate. it only tries to use the Client Cert and other certs when the SQL and SCUP fail and seems to do a search elsewhere:

    There are no certificate(s) that meet the criteria. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)
    Performing machine FQDN to SAN2 search. SMS_MP_CONTROL_MANAGER 01/01/1601 00:00:00 8656 (0x21D0)

    How do i get SCCM to always use the Client cert, is there a setting not correct?

    Thanks Again

    EDIT:

    Also lookin through the IIS log files im getting a lot of 403.16 2148204809 errors which apparently refers to Client certificate is untrusted or invalid.

    Sorry im not the best on certificates so any help will be greatly appreciated


    • Edited by AWeaver Tuesday, July 9, 2013 1:46 PM Additional Info
    Tuesday, July 9, 2013 11:36 AM
  • Hi again All

    Just though i would update this post in case anyone else encountered the same problem. I found this KB

    http://support.microsoft.com/kb/2802568

    It would appear that when i was setting up SCUP and distributed the Certificate to Trusted Publishers and Trusted Root Certification Authorities and then rebooted a week later the non self signed SCUP certificate in trusted root certification authorities caused a bug that no longer trusted any certificates. 

    As soon as  i deleted this certificate and rebooted the server everything was fine again.

    • Marked as answer by AWeaver Thursday, July 11, 2013 7:51 AM
    Thursday, July 11, 2013 7:51 AM
  • Thank you for posting that solution up AWeaver.  Had a similar issue at a client site and was able to resolve it by removing the unneeded certificate and restarting the MP_ControlManager service.  

    Be kind and Mark as Answer if I helped.

    Thursday, January 21, 2016 11:27 PM
  • Still a valid answer, ran into this problem today. From that KB link there is another that has a PowerShell command to find the problem cert, removing the cert and restarting the component worked perfectly.

    Monday, February 27, 2017 1:51 AM