question

Chris-4250 avatar image
0 Votes"
Chris-4250 asked Amandayou-MSFT commented

SCCM MP is not working properly, unable to get to http://server/SMS_MP/.sms_aut?MPLIST

I started noticing this when our computers were no longer able to PXE boot so I check SMSPXE.log and found several errors, but reinstalling PXE and WDS did not resolve the error. I then moved onto the MP which is our SCCM Primary server and also has SQL installed on it. Our setup is 1 SCCM Primary server and 4 DPs. Everything is installed on the Primary server as far as WSUS and SQL go and it is also the MP, SUP, and reporting server and all that.

I am unable to get to below sites:
http://servername/SMS_MP/.sms_aut?MPLIST
http://servername/SMS_MP/.SMS_AUT?MPCERT

They both show the same error, unauthorized with error code: 0x80070005 so I am leaning towards some kind of permissions issue, but this SCCM setup has been running without issue since 2017 so this is not some new MP and the permissions have not been changed to my knowledge.
I am running CongiMgr v2010.

127936-6.jpg


Below are the errors I am receiving in the MPCONTROL.LOG file (servername omitted):

128013-7.jpg

Here is error from ConfigMgr > Monitoring > System Status > Site Status and the management point error, remember the sql server is on the MP:
128003-3.jpg

Someone mentioned to make sure the websites in IIS were not using port 80 and only the default website is using port 80 and that is how it is setup. We only have the default website using port 80 and 443 and then WSUS site using 8530 and 8531

127950-5.jpg


I have the IIS logs open, but I'm honestly not sure what I'm looking for as I do not see much description like you would see in an SCCM log..

127959-8.jpg


Hoping someone can assist and give me some advice on where I should look for permissions issues or what exactly I should look for in IIS, maybe it is a certificate that is out of date, but which certificate should I be looking at? I see a certificate issued to my primary server issued by "SMS Issuing" that expired 8/12/2021 located in Certificates - Local Computer > SMS > Certificates but I'm not sure how that cert gets re-issued because there are several expired certs issued by "SMS Issuing" and I am not issuing them.

Let me know if you need any additional information to assist, I tried to provide a good picture of what I am facing.


mem-cm-general
6.jpg (141.0 KiB)
7.jpg (417.5 KiB)
5.jpg (169.8 KiB)
8.jpg (248.2 KiB)
3.jpg (250.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Chris-4250 avatar image
0 Votes"
Chris-4250 answered Amandayou-MSFT commented

Thank you. I check my SMS_CCM folder and the SMS_MP within and I cannot get the MP to function properly with IUSR only having list folder contents or even full control.
As soon as I give Everyone read permissions to SMS_CCM and all subfolders it starts working and I can get to MPCERT and MPLIST and the below error in mpcontrol.log goes away. Other than having read access for Everyone on SMS_CCM, my permissions are identical to yours.


129190-10.jpg



10.jpg (24.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Thanks for your sharing.

I have converted your reply to answer. Please mark your answer, it is helpful to anyone who has the similar confusion.

Thanks again and have a nice day. : )

Best regards,
Amanda

1 Vote 1 ·
Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered Amandayou-MSFT converted comment to answer

Hi @Chris-4250,

According to the information, the error status error 500 shows that there seems something wring with MP server. Please check ccmisapi.log to see if there is error in this log, it records client messaging activity on the endpoint.

Besides, here is the similar post, we could refer to it:
https://social.technet.microsoft.com/Forums/ie/en-US/66f3f171-0303-4007-b8b0-9a78a43e165a/solution-call-to-httpsendrequestsync-failed-for-port-80-with-status-code-500-text-internal?forum=ConfigMgrDeployment



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

There weren't any errors in ccmisapi.log and it wasnt the C++ issue.
Looks like what fixed it is my giving "Everyone" modify control to SMS_CCM\SMS_MP
I saw a post where someone did that so I followed suit.

What should the permissions look like for SMS_CCM\SMS_MP.
What accounts need modify to this so I can set it correctly and remove everyone?

0 Votes 0 ·

Hi,

To double check the permission of SMS_CCM\SMS_MP, could we post the screenshot about the permission of SMS_CCM\SMS_MP.

I check it in my environment, here is the permission:

129050-935.png

Thanks and have a nice day.

Best regards,
Amanda


0 Votes 0 ·
935.png (22.5 KiB)