Jump to content


  • 0
OmegaHarvest

Management Point unable to accept it's own Client Auth Certificate

Question

Hello Windows noob! First post here ever. Learnt most of my SCCM knowledge by following the guides here! Brilliant resource!

 

I'm hoping someone here can help me with an issue I'm having with setting an MP to use HTTPS. I've looked all over the web and all posts are relating to issues with other certificate types on the SCCM server.

 

Basically, I have deployed a Web server cert for ISS on my SCCM box, as well as one for the DP and both work fine. However, I have set my MP to use HTTPS which of course requires clients to have a cert to authenticate with it.

I have a windows PKI which has been operating fine and has issued all of my certs so far. I have created a new template based off the Workstation auth one and configured GPO to autoenroll clients. My MP is also in the scope of the GPO and has its own client auth cert. However, when I check in the mpcontrol.log I see the following spammed every 30 seconds:

Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden

Just before that I see:

Selected Certificate [Thumbprint 63682aeb220d928163855c10500f3e43e6a9a7cb] issued to 'YGG-SVR-005.yggdrasiltech.co.uk' for HTTPS Client Authentication

So I can see it's selecting my client auth cert to use but then rejecting it. I ahve confirmed this is the right cert by matching the thumbprint with the one issues in the CA for client auth.

If I look further up the logs, it goes through all the other certs on the server and has no issues (such as the web server cert).

Does anyone know what I can check to find why the IIS server rejects the client auth cert assigned to my MP, stopping it from working as an MP entirely. Have I missed a requirement for the CA template or the CA itself?

The MP is on the SCCM server itself, its a standalone server. I have checked the CRL resolves fine which it does.

For now, I have set the MP back to HTTP and the log has settled down and shows the MP wokring correctly.

Any help would be greatly appreciated and probably save my sanity!!

Share this post


Link to post
Share on other sites

1 answer to this question

Recommended Posts

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.