SCE2010 remote client startup error: (403) Forbidden
Just done a brand new SCE2010 install on Windows 2008. Install on server went fine, but I'm now trying to setup a remote client (Windows 7 Enterprise). All O/S installations are fully patched, and I'm local admin equivialant on the SCE2010 server. Remote client install completes ok, but when I start the client, I get the following error; Error connecting to updates service 'xxxxxxxxxxx.xxxx.co.uk' The remote server returned an error (403): Forbidden If I copy the error, I get the following Date: 28/06/2010 11:37:06 Application: System Center Essentials Application Version: 7.0.2432.1 Severity: Error Message: Error connecting to Updates service 'xxxxxxxxxxxxx.xxxx.co.uk' System.Net.WebException: The remote server returned an error: (403) Forbidden. at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args) at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer(String serverName, Boolean useSecureConnection, Int32 portNumber) at Microsoft.SystemCenter.Essentials.UpdateServerService.Connect(String serverName, Boolean connectSecurely, Int32 socketNumber) at Microsoft.SystemCenter.Essentials.UpdateServerService.Connect(String serverName) at Microsoft.EnterpriseManagement.SCE.Internal.UI.Console.EssentialsConsoleWindow.ConnectToManagementGroupJob(Object sender, ConsoleJobEventArgs args) I've added my domain user account to the WSUS Administrators group in the SCE server, but to no avail. I have installed the client certificate, and the SCE console starts fine on the server itself. Seems like this is related to the WSUS server component, so anyone have any ideas?
June 28th, 2010 1:54pm

Hi, This issue may occur if SCE console on the Windows 7 machine is having trouble connecting to the WSUS Server. Please check if suggestions on the following thread will help: Unable to connect the SCE console on a client machine to the server - 403 forbidden: http://social.technet.microsoft.com/Forums/en/systemcenter/thread/daa8df53-d040-47d2-bfa9-de2f6c993dffPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2010 9:34am

Thanks for the reply. I looked at the thread you mentioned, and did a couple of the tests, so I can confirm the following; 1. I can load the URL into IE fine. No errors or prompts, and the page displays correctly 2. If I run MMC, and add the Update Services snap-in, I can connect to the SCE2010 server fine. I'm not prompted for any authentication, and the all functions in the console work ok. So, although SCE2010 is denying access through the console, manually connecting to the resources on the same server works. Is there something within SCE itself that controls access from remote clients? It does look like it's just the SUS component, but as I get stuck at this point everytime, it's not easy to work out where the problem is.
June 29th, 2010 6:59pm

Hi, It looks like the exception that you're experiencing is a bit different than the one mentioned in the thread above, here's the interesting part of the of the exception: Microsoft.EnterpriseManagement.SCE.Internal.UI.Console.EssentialsConsoleWindow.ConnectToManagementGroupJob(Object sender, ConsoleJobEventArgs args) This looks like we may be failing to connect to the Management Group, can you logon on to the SCE server with the credentials that you used on the workstation and see if you can launch the console? Also, can you check the OperationsManager Event Log for errors when you attempt to connect remotely? Thanks! Brian Zoucha - MSFT
Free Windows Admin Tool Kit Click here and download it now
June 30th, 2010 10:42pm

Thanks. If I logon locally to the SCE2010 host, and start the SCE console, it loads fine (even connecting to the Updates service during startup). This problem only seems to occur remotely. If it bears any relevance, I elected to install SCE2010 using local security with no domain policy. I decided to do this because we already have a WSUS server on the main network, but this only provides updates for clients. This install of SCE will only be used for managing our domain servers. If it's possible, I want the existing WSUS domain policy to continue serving clients, and the SCE policy to just manage servers. Could this be a reason why the remote connection problem is occuring? Can I keep our existing WSUS and use SCE in domain mode to manage servers? We do have seperate OU's in A/D specifically for servers, so if SCE installs a new GP object, there's a possibility I could link it to just the servers OU.
July 1st, 2010 1:54pm

If you exclude the domain server(s) that you want to manage with SCE from the domain policy and you manually configure these servers to report to SCE for updates and they are managed by SCE there should be no problem. When you installed SCE did you choose to specify a domain user account for the OpsMgr Configuration and OpsMgr Data Access Services or are they running under Local System? Are there any errors in the Operations Manager Event log when trying to connect remotely? Something else to check would be the IIS logs on the SCE server when you try to connect remotely and see if they may provide us some additional detail on the '403 Forbidden' prompt that we're seeing. Did you follow the steps here when you installed the SCE Console? Hope this helps, Brian Zoucha - MSFT
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2010 1:02am

Sorry for the late reply. I've done some more testing and can confirm the following; 1. A fresh install of SCE2010 in DOMAIN mode makes no difference. The product is working fine, all the WSUS group policies are being applied to servers (it's only servers I'm managing). There are no indications of any errors on the server itself. 2. I can logon locally using my domain account to the SCE server, and run the GUI fine. 3. I've built a fresh Windows 7 Enterprise client (x64), installed the SCE2010 client, and this produces exactly the same error as the other (x32) Win7 client. I followed the MS guidelines to the letter, manually importing the certs to the correct locations. I'm stumped. It's the 'Updates' service everytime that the remote client can't connect to, and as it's happened on two clients now, it has to be a server side security issue, but I can't see where it is. As a reminder, the server is Win2k8 x64 (not R2), fully patched.
July 15th, 2010 7:16pm

Let's try this - can you run Process Monitor on your Windows 7 Client machine while launching the SCE 2010 console? What we're looking for is a failure to connect to an SPN or any type of Access Denied/Forbidden returned. If the Process Monitor doesnt provide enough detail you can run a network trace (Netmon or Wireshark) from your Windows 7 while launching the console. Given the level of complexity with this issue, you may be served better by moving this to the paid support category which requires a more in-depth level of support. Please visit the below link to see the various paid support options that are available to better meet your needs. http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone Hope this helps, Brian Zoucha - MSFT
Free Windows Admin Tool Kit Click here and download it now
July 21st, 2010 9:50pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics