Access denied trying to get https://FQDN/SMS_MP/.sms_aut?MPLIS T

Here are my symptoms

browsing to the https://FQDN from the internet while the client is disconnected from VPN (with IE), I do get a valid site and valid certificate

Client LocationService.log
[CCMHTTP] ERROR: URL=https://FQDN/SMS_MP/.sms_aut?MPLIST2&REG, Port=443, Options=448, Code=12152, Text=ERROR_WINHTTP_INVALID_SERVER_RESPONSE

When trying this https://FQDN/SMS_MP/.sms_aut?MPLIST
I get

403 - Forbidden: Access is denied.

You do not have permission to view this directory or page using the
credentials that you supplied.

So am I looking at permission issue or certificate issue?

--

TIA


  • Edited by A. Finer Wednesday, March 19, 2014 7:47 PM
March 19th, 2014 6:36pm
Are you running the MP in HTTPS?
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2014 8:27pm

Yes, definitely.
Could this be a boundary related issues?

 
March 20th, 2014 1:30pm

Shrek,

Is the MP running Server 2010 or 2012 R2?  If so, this might be your issue:

http://blogs.technet.com/b/configurationmgr/archive/2013/08/13/support-tip-a-configmgr-2012-management-point-enabled-for-ssl-fails-with-403-forbidden.aspx

I hope that helps,

Nash

Free Windows Admin Tool Kit Click here and download it now
April 17th, 2014 11:16pm

Could this be a boundary related issues?

 
No this is not a boundary issue.
April 18th, 2014 12:59am

I have the recommended entries in SCHannel registry key, I do NOT get any 403 in mpcontrol.log on SCCM server 2012 R2 SP1 running on Server 2012 R2

But still get 403 while trying to access either /sms_mp/.sms_aut?mpcert OR /sms_mp/.sms_aut?mplist

Any ideas?

Seb

Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2015 12:18pm
Is you MP running with HTTPS or not?
August 22nd, 2015 12:20pm

That might be normal if running https

Have a read of this.

https://ramzibot.wordpress.com/2012/10/04/mpcert-mplist-access-denied-error-after-securing-the-management-point-by-a-certificate/


Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2015 12:36pm

That might be normal if running https

Have a read of this.

https://ramzibot.wordpress.com/2012/10/04/mpcert-mplist-access-denied-error-after-securing-the-management-point-by-a-certificate/


August 22nd, 2015 4:31pm

OK, makes sense, but

"...Export the client certificate that the SCCM agent uses..."

And which certificate is that?

Seb

edit:

It needs to be certificate that was used for client registration (Computer certificate)

Unless one made modification to the template, by default such certificate does NOT have private key exportable.

I did do this test (issued modified template Computer certificate with private key exportable), this certificate was used to register with site server via PKI

Exported this certificate, imported this cerrtificate to USER Personal store & INDEED could access BOTH

/sms_mp/.sms_aut?mpcert
/sms_mp/.sms_aut?mplist

by selecting this certificate from popup in IE

One could use CCMCERTSTORE property during client installation

https://technet.microsoft.com/en-us/library/gg699356.aspx?f=255&MSPPError=-2147217396

to force client to use such issued certificate

Done & dusted!

Seb







  • Edited by scerazy 12 hours 35 minutes ago
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2015 6:30am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics