SCCM Clients receiving 401.2 response when attempting to communicate with MP

adam t 6 Reputation points
2021-08-26T03:37:52.14+00:00

Sorry if this is the wrong place to post this, it's where the button from Configuration Manager Current Branch kept taking me.

This started about a week ago, and went from intermittent to now 99% complete disruption of client to MP communication, resulting in inability to run OSDs, deploy software, etc.

Logs show:

TSAgent when trying a task - Failed to receive response with winhttp; 80072efe

CAS - GetLocationSyncEx3 failed with error 0x87d00231

CCMMessaging - Post to http:yadayada/ccm_system/request failed with 0x87d00231

IIS logs are showing 401 2 5 1509

PXE, which is served from the dp, is also not working. No entries in the pxe log either, the requests don't make it that far I guess, makes me wonder when entries go in the log.

Most other errors I found basically say similar things, win http request failure.

No audit failures in the MP's event viewer security logs

Have checked boundaries

SCCM version 2103, set to HTTP or Enhanced. Tried checking the box to provide sms issued cert. Not sure if I made things worse with that.

Have checked IIS application authentication settings, though I'm not 100% confident in my knowledge of that aspect, I have NOT chosen to try anonymous auth for windows authentication app, yet, nor that setting on the DP/MP roles. Provider for windows auth is negotiate above NTLM.

Let me know what other troubleshooting might help locate the problem.

Internet Information Services
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,206 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,396 Reputation points
    2021-08-26T13:03:05.773+00:00

    Hello @adam t

    It seems that there is a number of issues. I would recommend the next:

    For the DP communication: try disabling CRL on IIS -
    https://techcommunity.microsoft.com/t5/iis-support-blog/disable-client-certificate-revocation-crl-check-on-iis/ba-p/377134

    For the MP: I would suggest an MP repair:
    On the SCCM console select Administration Section
    Select Site Configuration Group
    Select Servers and Site System Roles
    Select your Site System containing the right MP
    Right Click on the MP role and select Properties
    On General Tab, Select HTTPS Client Connection

    This action will reinstall the MP and repair it. Please check the right SMS_MP_CONTROL_MANAGER log to verify if it is successfully repaired. If it is done, you have to redo the above steps to select HTTP as the Client Connection Protocol. This action will also reinstall and repair the MP.

    Hope this helps!

    --do not forget to vote if helpful or mark as Answer if it resolved your query--

    0 comments