none
403.16 Problem in ISS8 on MP in DMZ RRS feed

  • Question

  • IIs8
    SCCM2012CU2

    After succesfull install af MP in DMZ (mpsetup.log have no errors), I get 403.16 errors in IIs log

    This is a known condition according to MS http://support.microsoft.com/kb/2802568 (IIS8 may reject client certificate requests with HTTP 403.16 errors)

    But I'm very unsure of the proposed workaround. Can not make sense of it.

    Do anyone now how to enable CTL in IIs8 in stead of the proposed work around from kb280568?

     Regards
    Claus

    IIS log:
    2013-07-02 10:21:16 fe80::44e1:775d:b698:c55%12 GET /SMS_MP/.sms_aut MPLIST 443 - fe80::44e1:775d:b698:c55%12 SMS_MP_CONTROL_MANAGER - 403 16 2148204809 34


    MPcontrol.log:
    Initialized 'SMS Server Availability' performance instance => SMS Management Point. 
    Received an MP registry key change notification.
    Successfully handled registry changes.
    SSL is enabled.
    Client authentication is also enabled.
    Machine name is 'server.domain.com'.
    Begin validation of Certificate [Thumbprint f88e7fbb1a915815680b0f66b2b262483a6739ac] issued to 'server.domain.com'
    Certificate doesn't have "SSL Client Authentication" capabilities.
    Completed validation of Certificate [Thumbprint f88e7fbb1a915815680b0f66b2b262483a6739ac] issued to 'server.domain.com'
    Skipping this certificate which is not valid for ConfigMgr usage.
    Begin validation of Certificate [Thumbprint cf348b2e7dcee16ef8c45d6f444d7cb4d51c9b4e] issued to 'server.domain.com'
    Certificate has "SSL Client Authentication" capability.
    Completed validation of Certificate [Thumbprint cf348b2e7dcee16ef8c45d6f444d7cb4d51c9b4e] issued to 'server.domain.com'
    >>> Selected Certificate [Thumbprint cf348b2e7dcee16ef8c45d6f444d7cb4d51c9b4e] issued to 'server.domain.com' for HTTPS Client Authentication
    Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden
    WARN: The FDM is not installed on server
    Successfully performed Management Point availability check against local computer.

    Tuesday, July 2, 2013 10:39 AM

Answers

All replies

  • After loads of hours troubleshooting, and a schannel hint from MS, I found the solution a few days ago.

    I've tested and verified it over a couple of days.

    NB. It's not a WSUS problem. It's caused by new setting in server 2012 compared to older OS'.

    [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL]

    "ClientAuthTrustMode"=dword:00000002 "ClientAuthTrustMode" = dword: 00000002

    And some details in this link

    http://translate.google.com/translate?hl=da&sl=tr&tl=en&u=http%3A%2F%2Fblogs.msdn.com%2Fb%2Fdevtr%2Farchive%2F2013%2F04%2F24%2Fwindows-server-2012-ve-iis-8-uzerinde-403-16-veya-403-7-alabilirsiniz.aspx

    • Marked as answer by Claus Brandal Tuesday, July 9, 2013 5:12 PM
    Tuesday, July 9, 2013 5:12 PM
  • I fixed the 403.16 issue by making sure there are only Root Certificates in "Trusted Root Certification Authorities", a common mistake people do is placing Intermediate Certificates under Trusted Root.

    You can user PowerShell to check if you have non Root certs under Trusted Root:

    Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File "c:\computer_filtered.txt"

    Source: https://support.microsoft.com/sv-se/help/2802568/internet-information-services-iis-8-may-reject-client-certificate-requests-with-http-403.7-or-403.16-errors


    Friday, March 10, 2017 7:17 AM
  • Installed the MP in DMZ domain , i am having the same problem. Executed the above powershell script it gives me blank result and also Trusted ROOT and Intermediate store folders are having only it respective certificates.

    Kindly suggest on this.

     
    Friday, June 26, 2020 6:21 AM