Friday, January 15, 2016

ConfigMgr 2012 [READ ME] Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden


SYMPTOM :
======================================================================================
MP Control Manager detected management point is not responding to HTTP requests.  The HTTP status code and text is 403.
======================================================================================

CAUSE :
======================================================================================
Client certificate revocation was enabled.
======================================================================================

RESOLUTION :
======================================================================================
In order to resolve the issue We followed a series of steps.

1. Checked the Virtual directories of the management Point.
2. We were getting Error 403.2, 500.19, 403.14 while browsing the SMS_MP virtual directory.
3. We corrected the error 403.2, by enabling the READ permission on HANDLER MAPPINGS. To correct the Error 500.19, we added authenticated users and give them READ and execute permission  and at last to correct the 403.14 we enabled the DIRECTORY BROWSING.
4. We restarted the SMS EXEC service and IIS but that did not resolve the issue.
5. We investigated further IIS logs and found that its giving error 403.13 and 403.16 while connecting to the same SMS_MP Virtual directory.
6. To correct the 403.13 error;
We created DWORD value DEFAULT SLL CERT CHECK MODE and set the value to 1 to disable the CRL check for Client certificate.
7. To correct the 403.16
We created two registry values at HKey_Local_Machine\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL;
SendTrustedIssuerList = 0 (stop sending list of trusted root certification authorities during the TLS/SSL handshake process)
ClientAuthTrustMode = 2 (Set trust mode to Exclusive CA Trust, requires that a client certificate chain to either an intermediate CA certificate or root certificate in the caller-specified trusted issuer store.)

No comments:

Post a Comment