question

BoopathiSubramaniam-6294 avatar image
BoopathiSubramaniam-6294 asked ·

MP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 403, Forbidden.

Hi,

Below error appears in mpcontrol.log in 4 secondary site servers and not in other SCCM secondary site servers

MP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 403, Forbidden.

I checked that certificate is not expired.
33899-capture.jpg34013-1capture.jpg


34042-3capture.jpg

Please help to solve the issue.


mem-cm-general
capture.jpg (125.9 KiB)
1capture.jpg (72.5 KiB)
3capture.jpg (63.7 KiB)
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FionaYan-MSFT avatar image
FionaYan-MSFT answered ·

@boopathisubramaniam-6294

Thank you for posting in Microsoft Q&A forum.

Have we seen the IIS log before? This error may caused when we access WebView or WebPort.When we open the log and then search "403." to see whether we could get detalied info or not?
Here is a helpful guide for you to refer to:
https://docs.microsoft.com/en-us/troubleshoot/iis/http-error-403-7-forbidden-web-app

Have a nice day!


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


2 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi FionaYan,
Thanks

Executed the below command in secondary server
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$.Issuer -ne $.Subject} | Format-List
34596-capture.jpg



Deleted the thumpprint certificate from Trusted Root Certificate and issue is solved.
Not sure what and how that certificate is related to MP

2 Votes 2 · ·
capture.jpg (48.5 KiB)
FionaYan-MSFT avatar image FionaYan-MSFT BoopathiSubramaniam-6294 ·

@BoopathiSubramaniam-6294

Thank you very much for the update and sharing the solution here. I believe this should be useful for someone who has similar issue in the future.

0 Votes 0 · ·
RyanSteele-4092 avatar image
RyanSteele-4092 answered ·

I can confirm that the solution posted by @BoopathiSubramaniam-6294 solved the issue for me as well. To ensure others are able to find this answer, I am posting the text of the log messages below so it will show up more readily in a web search.

The following is found in the mpcontrol.log file on the affected site server:

 Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden SMS_MP_CONTROL_MANAGER 11/8/2020 11:12:47 AM 7020 (0x1B6C)
 Http test request failed, status code is 403, 'Forbidden'. SMS_MP_CONTROL_MANAGER 11/8/2020 11:12:47 AM 7020 (0x1B6C)

The following may be found on the CcmNotificationAgent.log file on a client connecting to a Cloud Management Gateway:

 [CCMHTTP] ERROR: URL=https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72057594037927940/bgb/handler.ashx?RequestType=LogIn, Port=443, Options=1248, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)
 [CCMHTTP] ERROR INFO: StatusCode=403 StatusText=CMGConnector_Forbidden BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)
 Raising event:
 instance of CCM_CcmHttp_Status
 {
  ClientID = "GUID:8A5350F6-613D-4FF1-BC44-99B4B0C6969E";
  DateTime = "20201108191531.162000+000";
  HostName = "CONTOSO.CLOUDAPP.NET";
  HRESULT = "0x87d0027e";
  ProcessID = 18388;
  StatusCode = 403;
  ThreadID = 7220;
 };
  BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)
 Successfully queued RefreshSecuritySettingsEvent event. BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)
 Successfully queued event on HTTP/HTTPS failure for server 'CONTOSO.CLOUDAPP.NET'. BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)
 Failed to post Login with error code 87d0027e. BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)
 Failed to signin bgb client with error = 87d0027e. BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)

This issue may be affecting you if one or more certificates are returned after running the command below on your management point:

 Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List

Once you have verified these root certificates are not needed, you can remove them by running this PowerShell command:

 Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Remove-Item
Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.