Skip to main content

ConfigMgr 2012 [READ ME] Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden

By

SYMPTOM :
======================================================================================
MP Control Manager detected management point is not responding to HTTP requests.  The HTTP status code and text is 403.
======================================================================================

CAUSE :
======================================================================================
Client certificate revocation was enabled.
======================================================================================

RESOLUTION :
======================================================================================
In order to resolve the issue We followed a series of steps.

1. Checked the Virtual directories of the management Point.
2. We were getting Error 403.2, 500.19, 403.14 while browsing the SMS_MP virtual directory.
3. We corrected the error 403.2, by enabling the READ permission on HANDLER MAPPINGS. To correct the Error 500.19, we added authenticated users and give them READ and execute permission  and at last to correct the 403.14 we enabled the DIRECTORY BROWSING.
4. We restarted the SMS EXEC service and IIS but that did not resolve the issue.
5. We investigated further IIS logs and found that its giving error 403.13 and 403.16 while connecting to the same SMS_MP Virtual directory.
6. To correct the 403.13 error;
We created DWORD value DEFAULT SLL CERT CHECK MODE and set the value to 1 to disable the CRL check for Client certificate.
7. To correct the 403.16
We created two registry values at HKey_Local_Machine\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL;
SendTrustedIssuerList = 0 (stop sending list of trusted root certification authorities during the TLS/SSL handshake process)
ClientAuthTrustMode = 2 (Set trust mode to Exclusive CA Trust, requires that a client certificate chain to either an intermediate CA certificate or root certificate in the caller-specified trusted issuer store.)

Labels:

Comments

Post a Comment

Popular posts from this blog

SCCM Unknown computer not able to see Task Sequences after installing Current Branch 1702

By
Soon after installing SCCM CB 1702 we were unable to see Task Sequences deployed to the unknown collection. This issue was identified as a random system taking the GUID of the 'x64 Unknown Computer (x64 Unknown Computer)' record. As a result it was now a known GUID; as we were only deploying Task Sequences to the Unknown collection none were made available. 'x64 Unknown Computer (x64 Unknown Computer)' record 'x86 Unknown Computer (x86 Unknown Computer)' record To get the GUID of your unknown systems open SQL management studio and run the following command: --Sql Command to list the name and GUID for UnknownSystems record data select ItemKey, Name0,SMS_Unique_Identifier0 from UnknownSystem_DISC Using the returned GUID (SMS_Unique_Identifier0) we can find the hostname that has been assigned the 'x64 Unknown Computer (x64 Unknown Computer)' GUID by running the query below. --x64 Unknown Computers select Name0,SMS_Unique_Identifier0,Decommissioned0 from Sys...
167 comments
Read more

KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

By
This article outlines the protection against the publicly disclosed Secure Boot security feature bypass involving the BlackLotus UEFI bootkit (CVE-2023-24932). It includes steps to enable the necessary mitigations and provides guidance on creating bootable media. I will provide: - An overview of the CVE issue. - Pre-requisite actions within ADK. - Detection and remediation scripts for CVE-2023-24932. - Instructions for creating a WinPE Boot.wim file to support systems that have undergone remediation. - A breakdown of the files changed and how to boot WinPE to support systems before remediation. 1. Secure Boot Security Feature Bypass Vulnerability CVE-2023-24932 see MSRC CVE-2023-24932 is a security vulnerability involving the BlackLotus UEFI bootkit, which allows attackers to bypass Secure Boot protections. This vulnerability enables the execution of malicious code at the UEFI level, potentially leading to persistent and evasive threats. Mitigations for this issue include updates to th...
Post a Comment
Read more

Java 7 update 21 (1.7.0_21) Enterprise Repackaged Security Medium Deployment with SCCM

By
------------------------------------------------------------------------------------------------- Java 7 update 45 Enterprise deployment complete walk through http://www.syswow64.co.uk/2013/10/java-7-update-45-enterprise-deployment.html -------------------------------------------------------------------------------------------------- The issue on many blogs and articles is around creating the 'deployment.config' and 'deployment.properties' files for an enterprise deployment.  In my case i wanted to set the security level to 'Medium', but everytime I open the Java control panel it was set to the default HIGH setting. Solution 1 Create the following directory path 'C:\Windows\sun\java\deployment' 2 Create a file called 'deployment.config' in this directory and open with Notepad. Copy the two line below #################### deployment.system.config = file\:\\C\:\\WINDOWS\\Sun\\Java\\Deployment\\deployment.properties deployment.system...
15 comments
Read more