mbkowns Posted October 28, 2013 Report post Posted October 28, 2013 I am trying to validate HTTP using the link below but I receive the error Error 403.7 - Forbidden. I can go to https://hostname.fqdn.com/ and everything comes up fine, its only when I go to the test link. SCCM 2012 R2 on Server 2012(MP) with all windows patches. Server 2008 R2 (Primary) mpcontrol.log shows Completed validation of Certificate [Thumbprint ba0ace702cd3add1972a84b48e4eba876e23d9ec] issued to 'hostname.fqdn.com' SMS_MP_CONTROL_MANAGER 10/28/2013 4:30:28 PM 3184 (0x0C70) Certificate doesn't have SAN2 extension. SMS_MP_CONTROL_MANAGER 10/28/2013 4:30:28 PM 3184 (0x0C70) Using custom selection criteria based on the machine NetBIOS name. SMS_MP_CONTROL_MANAGER 10/28/2013 4:30:28 PM 3184 (0x0C70) Failed to retrieve client certificate. Error -2147467259 Call to HttpSendRequestSync failed for port 443 with -2147467259 error code. https://hostname.fqdn.com/SMS_MP/.sms_aut?MPLIST HTTP Error 403.7 - Forbidden The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes. Most likely causes: The page you are attempting to access requires an SSL client certificate. You are browsing to the page using HTTP. The client certificate has expired or the effective time has not been reached. The root certificate (the Certificate Authority certificate) of the client certificate issuing server is not installed on the Web server. Things you can try: Contact the site administrator to obtain a valid client certificate for the Web site. Try browsing to the page using HTTPS. If you have a client certificate installed, check if it has expired or if the effective time has not been reached. Verify that the root certificate is installed on the Web server. Quote Share this post Link to post Share on other sites More sharing options...
msee Posted October 31, 2013 Report post Posted October 31, 2013 Hi! Any solution? Quote Share this post Link to post Share on other sites More sharing options...
mbkowns Posted November 4, 2013 Report post Posted November 4, 2013 It appears that I needed to use the FQDN of the Internet name not the hostname of the machine. Once I used that it worked properly. Quote Share this post Link to post Share on other sites More sharing options...
hhancock Posted July 7, 2014 Report post Posted July 7, 2014 Sorry to bring this really old topic back up. When I upgraded to System Center 2012 R2 Configuration Manager I started to see this issue. It appears that the certificate had expired. I've reissued the certificate and the Management Point now shows that everything is OK. However, when I try to navigate to the SMS_MP/.sms_aut?mplist URL I still receive a 403.7 error. I am not really sure what's going on. When I issued the certificate, I used the DNS name of myserver.domain.com. Any suggestions would be greatly appreciated. Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted July 7, 2014 Report post Posted July 7, 2014 If you are navigating to that URL with a browser and your user account, it probably won't use the correct certificate (as the correct certificate is assigned to the computer and not the user) to connect to the Management Point. This will result in a 403.7 error. Quote Share this post Link to post Share on other sites More sharing options...
wilbywilson Posted July 7, 2014 Report post Posted July 7, 2014 HHancock, Here is a post on this topic: http://social.technet.microsoft.com/Forums/systemcenter/en-US/2b767836-56cf-4f6f-bda2-e44acdb43b26/4037-error-when-testing-mpcert-mplist?forum=configmgrgeneral As Peter suggests, your machine may not be using the correct certificate when browsing to the url, but that doesn't necessarily indicate that there's a problem. From that link above, "if you're seeing 'Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK' in your mpcontrol.log as per my screenshot above, that's a good sign the MP is functioning correctly." So, check out your mpcontrol.log, and see what you've got. Quote Share this post Link to post Share on other sites More sharing options...
hhancock Posted July 7, 2014 Report post Posted July 7, 2014 HHancock, Here is a post on this topic: http://social.technet.microsoft.com/Forums/systemcenter/en-US/2b767836-56cf-4f6f-bda2-e44acdb43b26/4037-error-when-testing-mpcert-mplist?forum=configmgrgeneral As Peter suggests, your machine may not be using the correct certificate when browsing to the url, but that doesn't necessarily indicate that there's a problem. From that link above, "if you're seeing 'Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK' in your mpcontrol.log as per my screenshot above, that's a good sign the MP is functioning correctly." So, check out your mpcontrol.log, and see what you've got. Ok, great. The mpcontrol.log does say that it succeeded. The Management Point is showing as OK and all of my clients are showing Active. Thank you for your help! Quote Share this post Link to post Share on other sites More sharing options...
