Support Tip: A ConfigMgr 2012 Management Point enabled for SSL fails with 403 forbidden

~ Vinayak Sharma| Technical Lead

Here’s a quick tip on an interesting issue I saw the other day in case you happen to run across it.

The core issue is that an HTTPS enabled System Center 2012 Configuration Manager (ConfigMgr 2012) Management Point (MP) installed on Windows Server 2012 may not work as expected, and in the IIS logs you see a 403.16 status code which resolves to ‘Client certificate is untrusted or invalid.’ The Mpcontrol.log will also show the following:

Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden
Http test request failed, status code is 403, 'Forbidden'.

This can occur if  IIS is not configured to use a Certificate Control List (CTL). Without a CTL, SSL client certificate authentication will fail with the 403.16 error mentioned above because SChannel.dll wrongly considers the client certificate to be untrusted.

NOTE: Having no CTL in use is the default configuration of IIS 8.0. This is configured by having no SendTrustedIssuerList present or by setting SendTrustedIssuerList=0.

This can also occur there is a non self-signed certificate in the 'Trusted Root Certification Authorities' certificate store.

Solution

To resolve this issue we need to have these two registries created on the MP server.

HKLM/system/currentcontrolset/control/securityproviders/schannel/sendtrustedissuerlist=0

HKLM/system/currentcontrolset/control/securityproviders/schannel/ClientauthTrustmode=2

Also make sure that there is no self-signed certificate in the 'Trusted Root Certification Authorities' certificate store. To verify this, open MMC and add the certificate snap-in. Navigate to 'Trusted Root Certification Authorities'. There should not be any certificate where 'Issued to' and 'Issued by' is not matching. If there is one, it is safe to delete that certificate.

Vinayak Sharma| Technical Lead | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/