Jeevan Bisht's System Center Blog

System Center Rocks !!

Configuration Manager 2007 : Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden

Configuration Manager 2007 : Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden

  • Comments 3
  • Likes

A Few of my customers have been having some issue recently related to the Internet SUP and it seems to boil down to the IIS Behaviour and below is one such case .

 We have a Management Point setup to support Internet clients.
 

Everything seems to be setup correctly but somehow we see the error  “Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden” in the MPControl.log

 

=============

mpcontrol.log

=============

There is only one certificate in the store. SMS_MP_CONTROL_MANAGER 1/16/2009 12:04:59 AM 4488 (0x1188)

CryptVerifyCertificateSignatureEx returned error 0x80090006. SMS_MP_CONTROL_MANAGER 1/16/2009 12:04:59 AM 4488 (0x1188)

Certificate has "SSL Client Authentication" capability. SMS_MP_CONTROL_MANAGER 1/16/2009 12:04:59 AM 4488 (0x1188)

Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden SMS_MP_CONTROL_MANAGER 1/16/2009 12:04:59 AM 4488 (0x1188)

Successfully performed Management Point availability check against local computer. SMS_MP_CONTROL_MANAGER 1/16/2009 12:04:59 AM 4488 (0x1188)

Initialization unsuccessfully completed within the allowed interval. SMS_MP_CONTROL_MANAGER 1/16/2009 12:04:59 AM 4488 (0x1188)

 

 

So the Prime suspect was the certificate and they seemed to have been correctly configured as per  Certificate Requirements for Native Mode

http://technet.microsoft.com/en-us/library/bb680733.aspx

 

Apparently this is what we saw in the IIS log File

 

======

IIS LOG

======

2009-01-16 15:45:13 W3SVC1 xx.xx.xx.xx CCM_POST /ccm_system/request - 443 – xx.xx.xx..xx ccmhttp 403 16 2148204809

 

2009-01-16 15:48:05 W3SVC1 xx.xx.xx.xx CCM_POST /ccm_system/request - 443 – xx.xx.xx.xx ccmhttp 403 13 2148081683

 

Tracking down these two errors in IIS

 

403.13 Client Certificate Revoked

===============================

This error message means that the client sent a certificate, but either the certificate shows up as revoked in the issuing authority's Certificate Revocation List or the server could not retrieve a CRL from the issuing authority

 

By default, Internet Information Services (IIS) checks to see if the client certificate that is being presented has been revoked. It does this by downloading the client certificate's Certificate Revocation List (CRL) from a Certificate Distribution Point (CDP) that is listed as part of the client certificate. If IIS is unable to download at least one of the CRLs of the client certificate, the HTTP error message is displayed in the client's browser.

 

403.16 - Client certificate is un trusted or invalid

=============================================

This error message is primarily generated when the certificate that the client provided is improperly formed. It can also be generated if there are intermediate certification authorities in the certificate chain that are not trusted by the Web server.

 

 

IIS returns HTTP "403.13 Client Certificate Revoked" error message although certificate is not revoked

http://support.microsoft.com/kb/294305

 

Solution

=======

 

Sol 1:

--------

We could not reach the CDP for CRL from the Web Server in question:

Look at the certificate properties CRL Distribution Point and make sure you can reach the URL mentioned

 

Sol 2:

--------

Turn Off the CRL Checking on the Web Server

cscript adsutil.exe  Set W3SVC\CertCheckMode 1

Restart the web services

Caution: This can pose security risk in terms of checking revoked certificate.

 

or Incase you have Windows 2008

Cscript ADSUTIL.VBS Set W3SVC/x/CertCheckMode 1
Where x is the number of the website – most likely 1

 

Note: This is not because of the SCCM but the IIS behavior

 

Jeevan Bisht | Support Escalation Engineer

  • Great post. One correction thought, the correct syntax is cscript adsutil.vbs  Set W3SVC\CertCheckMode 1

  • I have the same problem. PKI has been moved to another computer. And it seems like it was moved incorrectly. So now my MP cannot authorize in IIS.

    Windows Server 2008R2, IIS7.5, SCCM R3

    Log: mpcontrol.log

    Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden SMS_MP_CONTROL_MANAGER 6/16/2011 1:06:19 PM 3428 (0x0D64)

    Http test request failed, status code is 403, 'Forbidden'. SMS_MP_CONTROL_MANAGER 6/16/2011 1:06:19 PM 3428 (0x0D64)

    Successfully performed Management Point availability check against local computer.

    Log:iislog

    2011-06-16 10:07:00 192.168.50.41 CCM_POST /ccm_system/request - 443 - xxxxxxx ccmhttp 403 13 2148081683 46

    2011-06-16 10:07:05 192.168.50.41 CCM_POST /ccm_system/request - 443 - xxxxxxx ccmhttp 403 13 2148081683 62

    2011-06-16 10:07:06 192.168.50.41 CCM_POST /ccm_system/request - 443 - xxxxxxx ccmhttp 403 13 64 343

    What has been done to solve the problem.

    Reinstalled IIS and MP,

    Reconfigured IIS and WebDav using Microsoft documentation

    Published new CRL list in new CA

    Confirmed that new certificates have correct CRL string

    Confirmed that CRL can be downloaded

    Reissued certificates for SCCM, including "This site server ...", WebCertificate, Client and Computer

    Imported CRL list manually

    Disabled IIS CertCheckMode (Set to 1)

    ...Nothing, still no luck.  443 13, Forbidden.

  • 403 16 errors in the IIS log can also be caused by this little charm:

    support.microsoft.com/.../en-us

    It boils down to Mirocsoft releasing a root certificate package with about 350 certs for client computer and marking it as update for server systems as well. ISS sends the client trying to connect through SSL a list of accepted root certificates, which has become too long and gets truncated.

    Solution: delete all unnecessary certificates from the store. Only a few are actually required:

    support.microsoft.com/.../en-us

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment