Jump to content


Recommended Posts

Hey Everyone-

  I'm deploying a new ConfigMgr 2016 server and running into a bit of an issue where the Management Point role is reporting an error state in Site Status.  The error shown is "MP Control Manager detected MP is not responding to HTTP requests.  The http error is 2147500037." and when I check the mpcontrol.log file I have repeated messages of:

Begin validation of Certificate [Thumbprint 54b7384b28154466383c3195ac15ed00f08ad1d5] issued to 'ConfigMgr.domain.com'    SMS_MP_CONTROL_MANAGER    5/19/2017 4:12:23 PM    6168 (0x1818)
Completed validation of Certificate [Thumbprint 54b7384b28154466383c3195ac15ed00f08ad1d5] issued to 'ConfigMgr.domain.com'    SMS_MP_CONTROL_MANAGER    5/19/2017 4:12:23 PM    6168 (0x1818)
Skipping this certificate which is not valid for ConfigMgr usage.    SMS_MP_CONTROL_MANAGER    5/19/2017 4:12:23 PM    6168 (0x1818)
There are no certificate(s) that meet the criteria.    SMS_MP_CONTROL_MANAGER    5/19/2017 4:12:23 PM    6168 (0x1818)
Failed to retrieve client certificate. Error -2147467259    SMS_MP_CONTROL_MANAGER    5/19/2017 4:12:23 PM    6168 (0x1818)
Call to HttpSendRequestSync failed for port 443 with -2147467259 error code.    SMS_MP_CONTROL_MANAGER    5/19/2017 4:12:23 PM    6168 (0x1818)

I believe the wrong certificate is being used for this as the cert thumbprint ending in d1d5 is the SQL Server Identification Certificate.  We have certificate auto enrollment in the environment and all other clients are connecting fine, except the ConfigMgr server itself.

Currently the Clients Certificate Selection settings in the Client Computer Communication on the site is set to "Client Authentication Capability".  If I changed it to "Certificate Subject contains string" and added in our domain the error would go away for the ConfigMgr server, but then all the other clients would disconnect.  Oddly enough, the cert its choosing is only enabled for Server Authentication.  Im thinking its choosing this certificate as it has the longest expiration date - expiring in 2117.

Any suggestions on how to correct this?

Thanks much.

Share this post


Link to post
Share on other sites

I figured this out.

The subject on the certificate from my auto enroll template was empty. I had to change the template to use "Fully distinguished name" for the Subject.  After that it and reissuing the cert it cleared up.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...