question

AhmedEssam-4837 avatar image
0 Votes"
AhmedEssam-4837 asked Amandayou-MSFT commented

Client not getting updates

Hi,

We recently faced a new issue with our ConfigMgr Clients, we are using PKI to secure the communication

On the client's side, we checked Policyagent.log and we have that the client is unable to download policies with the following error

BITS error: 'HTTP status 403: The client does not have sufficient access rights to the requested server object.\n' Context: 'The error occurred while the remote file was being processed.\n'";


DTS job '{7D9720E2-D706-4AB5-A83E-6D528E7D18EA}' is finished for 5 files. ReturnCode: 0x80190193, Message: 'BITS error: 'HTTP status 403: The client does not have sufficient access rights to the requested server object.
' Context: 'The error occurred while the remote file was being processed.

LocationService.Log

[CCMHTTP] ERROR: URL=https://MPSRV.Domain.local/SMS_MP/.sms_aut?SMSTRC, Port=443, Options=1472, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE
[CCMHTTP] ERROR INFO: StatusCode=403 StatusText=Forbidden


IIS Log on ConfigMgr Server

/SMS_MP/.sms_pol %7B010000FF%7D-%7BPER%7D.3_00 443 - 10.29.83.35 Microsoft+BITS/7.8 - 403 16 2148204809 190 31 IIS Log

BITS_POST /CCM_Incoming/{51F4BA0E-16D4-4453-A048-9818C17806F3} - 443 - 10.29.82.66 Microsoft+BITS/7.8 - 403 7 64 0 15

GET /SMS_MP/.sms_aut MPKEYINFORMATIONEX 443 - 10.16.4.72 SMS+CCM+5.0 - 403 16 2148204809 1423 15


Thanks,


mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered Amandayou-MSFT commented

Hi @AhmedEssam-4837

This may be caused by having non self-signed certificates in the trusted root certificate store on the SMP server.

Please navigate to Microsoft Management Console with the certificate snapshot. When reviewing a certificate you can open the certificate and look at the general tab. If the Issued to: and the Issued by: are from the same name then it is a self signed root certificate. If the Issued to: and the Issued by: are not the same name then it is not a root certificate and should be moved to the appropriate certificate store.

121533-89.png



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



89.png (107.4 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Amandayou-MSFT

Thanks for your help, the problem was with certificates.

But I still facing the below error in PolicyAgent.Log


Raising event:
instance of CCM_PolicyAgent_PolicyDownloadFailed
{
ClientID = "GUID:C745B480-E4F8-46FB-9930-2683C2927F1E";
DateTime = "20210809144925.812000+000";
DownloadErrorInfo =
instance of CCM_BitsDownloadMethod_ErrorInfo
{
ErrorCode = 2147942402;
ErrorMessage = "BITS error: 'HTTP status 404: The requested URL does not exist on the server.\n' Context: 'The error occurred while the remote file was being processed.\n'";
};
DownloadMethod = "BITS";
DownloadSource = "http://<mp>/SMS_MP/.sms_pol?{3C03F232-45D0-48CD-BDAA-9566E4CB1BF7}/30.SHA256:7227635EADA699B87BB66809B3372F78AB27CF193E116C24215A55DAF0659ABC";
PolicyNamespace = "\\\.\\ROOT\\ccm\\policy\\machine\\requestedconfig";
PolicyPath = "CCM_Policy_Policy5.PolicyID=\"{3C03F232-45D0-48CD-BDAA-9566E4CB1BF7}/30\",PolicyVersion=\"5.00\",PolicySource=\"SMS:PER\"";
ProcessID = 5516;
ThreadID = 6444;
};

0 Votes 0 ·

Hi,

Does this issue happen on all clients or just one client? If just one client, please check if IP address in the IIS log was sent by this client.

And BITS error: 'HTTP status 404, please check if this package is actually on DP, we could update again and check if the issue is solved.

Best regards,
Amanda

0 Votes 0 ·

Hi,

How to know which package belongs to the following ID
CCM_Policy_Policy5.PolicyID=\"{3C03F232-45D0-48CD-BDAA-9566E4CB1BF7}

Thanks,

0 Votes 0 ·
Show more comments
RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered AhmedEssam-4837 commented

Any errors in ccmmessaging?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Client doesn't have PKI issued cert and cannot get CCM access token. Error 0x8000ffff

[CCMHTTP] ERROR: URL=https://MP.domain.local/ccm_system_windowsauth/request, Port=443, Options=1472, Code=0, Text=CCM_E_NO_TOKEN_AUTH
[CCMHTTP] ERROR INFO: StatusCode=401 StatusText=Unauthorized
Successfully queued event on HTTP/HTTPS failure for server 'MP.domain.local'.
Post using domain\ahmed-admin security context failed due to Integrated Windows Authentication failure
Post to https://MP.domain.local/ccm_system_windowsauth/request failed with 0x80070005.

0 Votes 0 ·
RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered

Issue does appear to be with pki cert missing on the device in question. Is the cert enrolled on the device? What version of CB are running? May be consider Ehttp with token based authentication instead. It is not same as PKI but makes the setup simpler.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.