CCMSetup - Failed to successfully complete http request (403)
Hi, I have a single Windows Server that I'm unable to install the SCCM agent onto. It's a Win2008R2 Enterprise server with Hyper-V installed. Our SCCM environment is R2 running in native mode. IIS and SCCM are configured to allow client installation and it has worked consistently for the other 50 Windows servers. I just have a problem with this one. The only time I've experienced agent installation trouble is when the client hasn't enrolled for a certificate yet, or the server MP threw a wobbler. I can see that the client has a valid Client Authentication certificate, and all other servers are able to communicate with the Software Updates point. I'm installing the client via publishing to WSUS MP, however I have also tried installing manually using the following command: ccmsetup.exe /native /mp:SERVERFQDN SMSSITECODE=AUTO /NOSERVICE Neither method seems to work. Windows Update detects that the agent is available for install but fails to install it with error code 1 uknown error. The output of the CCMSETUP log is as follows (I've replaced actual servers names): <![LOG[Ccmsetup is being restarted due to an administrative action. Installation files will be reset and downloaded again.]LOG]!><time="02:05:55.035+-60" date="06-18-2011" component="ccmsetup" context="" type="1" thread="6208" file="ccmsetup.cpp:2774"> <![LOG[Successfully ran BITS check.]LOG]!><time="02:05:55.113+-60" date="06-18-2011" component="ccmsetup" context="" type="1" thread="6208" file="ccmsetup.cpp:7105"> <![LOG[The 'Certificate Store' is empty in the registry, using default store name 'MY'.]LOG]!><time="02:05:55.113+-60" date="06-18-2011" component="ccmsetup" context="" type="1" thread="6208" file="ccmcert.cpp:204"> <![LOG[The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'.]LOG]!><time="02:05:55.113+-60" date="06-18-2011" component="ccmsetup" context="" type="0" thread="6208" file="ccmcert.cpp:3518"> <![LOG[2 certificate(s) found in the 'MY' certificate store.]LOG]!><time="02:05:55.113+-60" date="06-18-2011" component="ccmsetup" context="" type="0" thread="6208" file="ccmcert.cpp:3547"> <![LOG[The 'MY' of 'Local Computer' store has 2 certificate(s). Using custom selection criteria based on the machine name.]LOG]!><time="02:05:55.113+-60" date="06-18-2011" component="ccmsetup" context="" type="0" thread="6208" file="ccmcert.cpp:3586"> <![LOG[Machine name is 'ONYX.arc.org.uk'.]LOG]!><time="02:05:55.113+-60" date="06-18-2011" component="ccmsetup" context="" type="0" thread="6208" file="ccmcert.cpp:1919"> <![LOG[SSL Registry key Software\Microsoft\CCM not found, assuming Client SSL is disabled.]LOG]!><time="02:05:55.113+-60" date="06-18-2011" component="ccmsetup" context="" type="2" thread="6208" file="ccmutillib.cpp:134"> <![LOG[The certificate issued to 'SERVER.DOMAIN.COM' has 'Client Authentication' capability.]LOG]!><time="02:05:55.129+-60" date="06-18-2011" component="ccmsetup" context="" type="0" thread="6208" file="ccmcert.cpp:432"> <![LOG[Using the certificate issued to 'SERVER.DOMAIN.COM'.]LOG]!><time="02:05:55.129+-60" date="06-18-2011" component="ccmsetup" context="" type="0" thread="6208" file="ccmcert.cpp:3631"> <![LOG[Failed to successfully complete HTTP request. (StatusCode at WinHttpQueryHeaders: 403)]LOG]!><time="02:05:55.347+-60" date="06-18-2011" component="ccmsetup" context="" type="3" thread="6208" file="ccmsetup.cpp:5969"> <![LOG[A Fallback Status Point has not been specified. Message with STATEID='308' will not be sent.]LOG]!><time="02:05:55.347+-60" date="06-18-2011" component="ccmsetup" context="" type="1" thread="6208" file="ccmsetup.cpp:9330"> This server seems to have two certificates installed - the SCCM client certificate and a Server Authentication certificate used by SCVMM. I'm not sure if that's interfering. I've had a look at other posts on here and around the web but so far haven't had any luck. If anyone has any suggestions or has experienced this themselves I'd be greatful for the help. Thanks, Tim
June 17th, 2011 6:29pm

A 403 is an access denied in HTTP terms but it can be for one of a lot of reasons. You should check your IIS logs on the MP to see exactly which 403 code you are getting. For example, a 403.13 is a rejected client certificate. Have you verifed that the client auth certificate issued to this system is valid and not revoked or expired and has a unique value in the Subject name or Alternate subject name fields per http://technet.microsoft.com/en-us/library/bb680733.aspx? Also note that /mp does not set the MP, it merely tells ccmsetup where to download its files from.Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2011 9:05pm

Hi Tim, Please check if the information in the following links helps: Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 403.13 - Forbidden" The HTTP status codes in IIS 7.0 How to Use HTTP Detailed Errors in IIS 7.0 Regards, Sabrina This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 20th, 2011 3:21pm

Guys, that's really great thanks. @Jason. I checked the IIS logs and found the client certificate was being rejected. Thinking along those lines I think CCMSetup was selecting the wrong certificate from the local store. So I setup a dev enrivonment and got the exact same problem - Hypver-V computer failing to install client with same error. I removed the SCVMM cert and the cilent install worked without a hitch. However not wanting to remove the certificate in a live enviroment to install the SCCM client (which then meant I'd have to remove Hyper-V computer as a managed host in SCVMM then re-add it) I copied down the Client installation files locally and used the /source: switch with CCMSetup to point at those files. This seemed to work instead. I was a little concerned that if the MP was rejecting the certificate for downloading setup files then it would also reject agent communication but it would appear to be fully working and communicating with the MP.
Free Windows Admin Tool Kit Click here and download it now
June 21st, 2011 9:13am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics