I was working on internet-based client management for ConfigMgr 2012 SP1 for a client.
HTTPS communication was working bar a slight issue whereby the certificate issuing authority we used had specifically been configured not to allow autoenroll. So certificates were having to be issued manually. Given the number of machines the business had this wasn’t an option. Therefore a different issuing authority was chosen which would allow autoenroll once configured.
After making the changes and configuring the autoenrollment permissions and restarting the configmgr server I noticed the below error in Mpcontrol.log “Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden”
The Thumbprint in the error relates to the client authentication certificate.
I performed the following whilst troubleshooting the error:
- Change the Management Point back to HTTP. Everything was now responding again, so I knew it was a certificate issue.
- I deleted the certificate and requested it again
- I changed the Management Point back to HTTPS, same issue again.
- Looking at trusted root certification store I noticed an entry for one of their subordinate certificate authorities but not the one we were using.
- Added the subordinate certificate from that issuing authority and this resolved the error.
The Mpcontrol.log shows:
“Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK”