question

BoopathiSubramaniam-6294 avatar image
1 Vote"
BoopathiSubramaniam-6294 asked CrisKolkman-1482 edited

MP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 403, Forbidden.

Hi,

Below error appears in mpcontrol.log in 4 secondary site servers and not in other SCCM secondary site servers

MP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 403, Forbidden.

I checked that certificate is not expired.
33899-capture.jpg34013-1capture.jpg


34042-3capture.jpg

Please help to solve the issue.


mem-cm-general
capture.jpg (125.9 KiB)
1capture.jpg (72.5 KiB)
3capture.jpg (63.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FionaYan-MSFT avatar image
0 Votes"
FionaYan-MSFT answered FionaYan-MSFT commented

@boopathisubramaniam-6294

Thank you for posting in Microsoft Q&A forum.

Have we seen the IIS log before? This error may caused when we access WebView or WebPort.When we open the log and then search "403." to see whether we could get detalied info or not?
Here is a helpful guide for you to refer to:
https://docs.microsoft.com/en-us/troubleshoot/iis/http-error-403-7-forbidden-web-app

Have a nice day!


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi FionaYan,
Thanks

Executed the below command in secondary server
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$.Issuer -ne $.Subject} | Format-List
34596-capture.jpg



Deleted the thumpprint certificate from Trusted Root Certificate and issue is solved.
Not sure what and how that certificate is related to MP

2 Votes 2 ·
capture.jpg (48.5 KiB)
FionaYan-MSFT avatar image FionaYan-MSFT BoopathiSubramaniam-6294 ·

@BoopathiSubramaniam-6294

Thank you very much for the update and sharing the solution here. I believe this should be useful for someone who has similar issue in the future.

0 Votes 0 ·
RyanSteele-4092 avatar image
2 Votes"
RyanSteele-4092 answered bmomartins commented

I can confirm that the solution posted by @BoopathiSubramaniam-6294 solved the issue for me as well. To ensure others are able to find this answer, I am posting the text of the log messages below so it will show up more readily in a web search.

The following is found in the mpcontrol.log file on the affected site server:

 Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden SMS_MP_CONTROL_MANAGER 11/8/2020 11:12:47 AM 7020 (0x1B6C)
 Http test request failed, status code is 403, 'Forbidden'. SMS_MP_CONTROL_MANAGER 11/8/2020 11:12:47 AM 7020 (0x1B6C)

The following may be found on the CcmNotificationAgent.log file on a client connecting to a Cloud Management Gateway:

 [CCMHTTP] ERROR: URL=https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72057594037927940/bgb/handler.ashx?RequestType=LogIn, Port=443, Options=1248, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)
 [CCMHTTP] ERROR INFO: StatusCode=403 StatusText=CMGConnector_Forbidden BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)
 Raising event:
 instance of CCM_CcmHttp_Status
 {
  ClientID = "GUID:8A5350F6-613D-4FF1-BC44-99B4B0C6969E";
  DateTime = "20201108191531.162000+000";
  HostName = "CONTOSO.CLOUDAPP.NET";
  HRESULT = "0x87d0027e";
  ProcessID = 18388;
  StatusCode = 403;
  ThreadID = 7220;
 };
  BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)
 Successfully queued RefreshSecuritySettingsEvent event. BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)
 Successfully queued event on HTTP/HTTPS failure for server 'CONTOSO.CLOUDAPP.NET'. BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)
 Failed to post Login with error code 87d0027e. BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)
 Failed to signin bgb client with error = 87d0027e. BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)

This issue may be affecting you if one or more certificates are returned after running the command below on your management point:

 Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List

Once you have verified these root certificates are not needed, you can remove them by running this PowerShell command:

 Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Remove-Item
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CrisKolkman-1482 avatar image
0 Votes"
CrisKolkman-1482 answered CrisKolkman-1482 edited

Hello,

I'm having the same issues as @bmomartins was having, but the issue has not been solved (yet) by this solution.
Yesterday I changed our SCCM to HTTPS only using this manual: https://gmarculescu.com/?p=81
The only difference is our Root CA is an offline machine and we have an online Subordinate CA issuing the certificates.

After this the clients stopped reporting to the SCCM server and they're all showing offline.
Software Center fails to start as well:

108555-softwarecenter.png

Running the command below showed 3 certificates not belonging in the Root store, which led me to a wrongly configured GPO deploying Intermediate certificates to the trusted root store.

 Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List

After modifying the GPO and running below command the wrong certificates didn't show up anymore, also not after a gpupdate /force:

 Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Remove-Item

Now it is about half an hour ago that I corrected this (and rebooted the SCCM server) but it doesn't seem to make any difference, in the mpcontrol.log I still see below error:
Call to HttpSendRequestSync failed for port 443 with status code 500, text: Internal Server Error

Could anyone shed a light on what is going wrong/where should we look for maybe more errors?

EDIT:
It's taking a long time but many clients are starting to report again, so this seems to be the solution after all.
Upcoming days I will keep an eye on the environment.




image.png (10.2 KiB)
softwarecenter.png (6.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.