Access denied trying to get https://FQDN/SMS_MP/.sms_aut?MPLIST

All replies

• 

  

  0

  Sign in to vote

  Are you running the MP in HTTPS?

  ---

  John Marcum | http://myitforum.com/myitforumwp/author/johnmarcum/

  Wednesday, March 19, 2014 8:27 PM
• 

  

  0

  Sign in to vote

  Yes, definitely.
  Could this be a boundary related issues?

   

  Thursday, March 20, 2014 1:30 PM
• 

  

  0

  Sign in to vote

  Shrek,

  Is the MP running Server 2010 or 2012 R2?  If so, this might be your issue:

  http://blogs.technet.com/b/configurationmgr/archive/2013/08/13/support-tip-a-configmgr-2012-management-point-enabled-for-ssl-fails-with-403-forbidden.aspx

  I hope that helps,

  Nash

  ---

  Nash Pherson, Senior Systems Consultant
  Now Micro - My Blog Posts
  If you've found a bug or want the product worked differently, share your feedback.
  <-- If this post was helpful, please click "Vote as Helpful".

  Thursday, April 17, 2014 11:16 PM
• 

  

  0

  Sign in to vote

  Could this be a boundary related issues?

   

  No this is not a boundary issue.
  

  ---

  http://www.enhansoft.com/

  Friday, April 18, 2014 12:59 AM
• 

  

  0

  Sign in to vote

  I have the recommended entries in SCHannel registry key, I do NOT get any 403 in mpcontrol.log on SCCM server 2012 R2 SP1 running on Server 2012 R2
  

  But still get 403 while trying to access either /sms_mp/.sms_aut?mpcert OR /sms_mp/.sms_aut?mplist

  Any ideas?

  Seb

  Saturday, August 22, 2015 4:13 PM
• 

  

  0

  Sign in to vote

  Is you MP running with HTTPS or not?

  ---

  Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

  • Proposed as answer by Ingo.Boehm Friday, October 25, 2019 7:46 AM
  • Unproposed as answer by Ingo.Boehm Friday, October 25, 2019 7:46 AM

  Saturday, August 22, 2015 4:15 PM
• 

  

  0

  Sign in to vote

  That might be normal if running https

  Have a read of this.

  https://ramzibot.wordpress.com/2012/10/04/mpcert-mplist-access-denied-error-after-securing-the-management-point-by-a-certificate/

  
  

  • Edited by Richard.Knight Saturday, August 22, 2015 4:32 PM

  Saturday, August 22, 2015 4:31 PM
• 

  

  0

  Sign in to vote

  OK, makes sense, but

  "...Export the client certificate that the SCCM agent uses..."

  And which certificate is that?

  Seb

  edit:

  It needs to be certificate that was used for client registration (Computer certificate)

  Unless one made modification to the template, by default such certificate does NOT have private key exportable.

  I did do this test (issued modified template Computer certificate with private key exportable), this certificate was used to register with site server via PKI
  

  Exported this certificate, imported this certificate to USER Personal store & INDEED could access BOTH

  /sms_mp/.sms_aut?mpcert
  /sms_mp/.sms_aut?mplist

  by selecting this certificate from popup in IE

  One could use CCMCERTSTORE property during client installation

  https://technet.microsoft.com/en-us/library/gg699356.aspx?f=255&MSPPError=-2147217396

  to force client to use such issued certificate

  Done & dusted!

  edit 2:

  MUCH easier is to use Jailbreak 4 and have no need to mess with certificates, just export the one that was used (it will make the key exportable anyway)

  Seb

  
  
  
  
  
  
  
  
  

  • Edited by scerazy Monday, June 26, 2017 1:05 PM

  Monday, August 24, 2015 10:28 AM