Management point errors in the DMZ

We recently setup a management point in the dmz .Already have boundary groups and added it to forrest discovery (Took a a few ports to open that up so it would work) , and have firewall rules setup to allow our inside primary site to interact with the management point in the dmz

THe management point in the dmz got setup to talk to sql using the insidedomain\service_account that has rights to the sql database. In looking at the mpcontrol.log I see several errors.

Call to HttpSendRequestSync failed for port 80 with status code 500, text: Internal Server Error

Http test request failed, status code is 500, 'Internal Server Error'. SMS_MP_CONTROL_MANAGER 11/5/2013 2:26:43 PM 2068 (0x0814)

and also

*** [28000][18452][Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. SMS_MP_CONTROL_MANAGER 11/5/2013 2:26:54 PM 2068 (0x0814)

*** [28000][18452][Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. SMS_MP_CONTROL_MANAGER 11/5/2013 2:26:54 PM 2068 (0x0814)

*** Failed to connect to the SQL Server, connection type: MP_CONTROL_ACCESS. SMS_MP_CONTROL_MANAGER 11/5/2013 2:26:54 PM 2068 (0x0814)

Failed to get connection to the configured SQL database. SMS_MP_CONTROL_MANAGER 11/5/2013 2:26:54 PM 2068 (0x0814)
Failed to connect to the configured SQL database. SMS_MP_CONTROL_MANAGER 11/5/2013 2:26:54 PM 2068 (0x0814)
Failed to get the current CLR Enabled configuration setting for the configured SQL Server hosting the database. SMS_MP_CONTROL_MANAGER 11/5/2013 2:26:54 PM 2068 (0x0814)

We do not have a sccm client on this system yet so i know the health evaluation scheduled task isn't an issue (no client installed).

We've gotten TCP port 1433 and 1443 open to the sql box so that the management point in the dmz can talk to the sql server. Also have other ports for the site server on the inside to talk to the MP in the dmz.

Has anyone seen this before or have any tips that might help with setting up a MP in a dmz that is untrusted.

November 5th, 2013 2:35pm

Is the MP in a separate forest? I'm assuming so.

Where exactly did you configure the account mentioned above?

Free Windows Admin Tool Kit Click here and download it now
November 5th, 2013 4:40pm

Jason -

Correct the MP is in a separate forrest, our DMZ

The account was set when the MP was created in the servers and site system roles area of the Administration section of sccm 2012. The Management Point Database was set up using the specify the account that connects the management point to the sql server database.

I have a case open with microsoft and we've tried a UDL connection back to sql and see there is a handshake but no connection done due to "The login is from an untrusted domain and cannot be used with Windows" message.

Everywhere I've looked I see that port 1433 is needed to open up a connection from the firewall to the SQL server and thats it. We have a rule that allows the MP in the DMZ to initiate a connection to our internal sql server over port 1433.

November 7th, 2013 5:19pm

Hi to all,

I am in the same situation: two different untrusted domain, SQL server on domain A / Management Point on domain B / firewall between domains.

I set Management point connection to SQL server database by a specific account, and I opened only the requested port for MP installation (success) and the SQL port for communication.

I suppose the opened firewall port are OK, I got the same error, on mpcontrol.log and on SQL server log "The login is from an untrusted domain and cannot be used with Windows authentication" ... but i set a domain account in SQL server domain ... what's the problem?

Any further help (or suggestion) will be higly appreciate,
thanks in advance.

Free Windows Admin Tool Kit Click here and download it now
February 4th, 2014 11:05am

Hello Kevin,

I know this post is old but I faced the exact same issue on an untrusted domain.

For me this was the situation;

I had the same message "The login is from an untrusted domain and cannot be used with Windows authentication. SMS_MP_CONTROL_MANAGER" while trying to connect from my MP in untrusted forest to SQL on Primary Site.

I checked NTLM, Ports, Permissions and SPNs were OK, but there was something from the SQL side that was not working properly.

Doing some research I found out that there is also needed SPN records for the NTLM authentication to happen. And you have to configure this on the SQL. It's configured on Accepted NTLM SPNs.

Hope it helps who encounters the same issue.


December 10th, 2014 7:32pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics