See all of the top support solutions for our most common issues here
~ Vinayak Sharma | Technical Lead
Here’s a quick tip on an interesting issue I saw the other day in case you happen to run across it.
The core issue is that an HTTPS enabled System Center 2012 Configuration Manager (ConfigMgr 2012) Management Point (MP) installed on Windows Server 2012 may not work as expected, and in the IIS logs you see a 403.16 status code which resolves to ‘Client certificate is untrusted or invalid.’ The Mpcontrol.log will also show the following:
Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden Http test request failed, status code is 403, 'Forbidden'.
This can occur if IIS is not configured to use a Certificate Control List (CTL). Without a CTL, SSL client certificate authentication will fail with the 403.16 error mentioned above because SChannel.dll wrongly considers the client certificate to be untrusted.
NOTE: Having no CTL in use is the default configuration of IIS 8.0. This is configured by having no SendTrustedIssuerList present or by setting SendTrustedIssuerList=0.
This can also occur there is a non self-signed certificate in the 'Trusted Root Certification Authorities' certificate store.
To resolve this issue we need to have these two registries created on the MP server.
Also make sure that there is no self-signed certificate in the 'Trusted Root Certification Authorities' certificate store. To verify this, open MMC and add the certificate snap-in. Navigate to 'Trusted Root Certification Authorities'. There should not be any certificate where 'Issued to' and 'Issued by' is not matching. If there is one, it is safe to delete that certificate.
Vinayak Sharma | Technical Lead | Microsoft GBS Management and Security Division
Get the latest System Center news on Facebook and Twitter:
System Center All Up: http://blogs.technet.com/b/systemcenter/ System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/ System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/ System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
Windows Intune: http://blogs.technet.com/b/windowsintune/ WSUS Support Team blog: http://blogs.technet.com/sus/ The AD RMS blog: http://blogs.technet.com/b/rmssupp/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/ The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ The Forefront TMG blog: http://blogs.technet.com/b/isablog/ The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Are these DWords, or strings that I am adding to the SCHannel Key???
Can you be a little more specific please. Thanks
I think these should be DWORDS:
thanks, this solved the described issue for me. this should be mentioned in the sccm docs, took me a couple of days to find this here.....
Will this be part of a fix in the next Cumulative Update? This was a nightmare to troubleshoot.