On 11/18/22, I started noticing the following MP error on our primary site server.
MP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 403, Forbidden.
These are the suggested action which I checked and all of them are configured correctly
Possible cause: Management point encountered an error when connecting to SQL Server.
Solution: Verify that the SQL Server is properly configured to allow Management Point access. Verify that management point computer account or the Management Point Database Connection Account is a member of Management Point Role (smsdbrole_MP) in the SQL Server database.
Possible cause: The SQL Server Service Principal Names (SPNs) are not registered correctly in Active Directory
Solution: Ensure SQL Server SPNs are correctly registered. Review Q829868.
Possible cause: Internet Information Services (IIS) isn't configured to listen on the ports over which the site is configured to communicate.
Solution: Verify that the designated Web Site is configured to use the same ports which the site is configured to use.
Possible cause: The designated Web Site is disabled in IIS.
Solution: Verify that the designated Web Site is enabled, and functioning properly.
Possible cause: The MP ISAPI Application Identity does not have the requisite logon privileges.
Solution: Verify that the account that the MP ISAPI is configured to run under has not been denied batch logon rights through group policy.
For more information, refer to Microsoft Knowledge Base article 838891.*
This MP happens to also be our site server. All of the other site server roles are functioning correctly. When I look at the CcmMessaging.log on this machine, I see the following log entries
EndpointMessage(Queue='MP_RelayEndpoint', ID={501A05FD-A71D-4380-BD0D-982010A1CD8D}): Will be discarded (0x8009200c). CcmMessaging 11/23/2022 4:03:22 PM 11496 (0x2CE8)
EndpointMessage(Queue='MP_RelayEndpoint', ID={0D5353B3-13B0-457A-B81D-63ED0E89F338}): Will be discarded (0x8009200c). CcmMessaging 11/23/2022 4:05:01 PM 11616 (0x2D60)
Supplied sender token is null. Using GetUserTokenFromSid to find sender's token. CcmMessaging 11/23/2022 4:05:43 PM 11496 (0x2CE8)
AAD Auth is not ready for user 'S-1-5-21-709937114-2191035849-1797255849-13173' CcmMessaging 11/23/2022 4:05:43 PM 11496 (0x2CE8)
Client doesn't have PKI issued cert and cannot get CCM access token. Error 0x8000ffff CcmMessaging 11/23/2022 4:05:43 PM 11496 (0x2CE8)
[CCMHTTP] ERROR: URL=https://OSB-SCCM01.domain.local/ccm_system_windowsauth/request, Port=443, Options=63, Code=0, Text=CCM_E_NO_TOKEN_AUTH CcmMessaging 11/23/2022 4:05:43 PM 11496 (0x2CE8)
[CCMHTTP] ERROR INFO: StatusCode=403 StatusText=Forbidden CcmMessaging 11/23/2022 4:05:43 PM 11496 (0x2CE8)
Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:E6B1F88B-DEF2-4608-98A1-3A854172E9FB";
DateTime = "20221123220543.768000+000";
HostName = "OSB-SCCM01.domain.local";
HRESULT = "0x87d00455";
ProcessID = 7176;
StatusCode = 403;
ThreadID = 11496;
};
CcmMessaging 11/23/2022 4:05:43 PM 11496 (0x2CE8)
Successfully queued event on HTTP/HTTPS failure for server 'OSB-SCCM01.domain.local'. CcmMessaging 11/23/2022 4:05:43 PM 11496 (0x2CE8)
Post to https://OSB-SCCM01.domain.local/ccm_system_windowsauth/request failed with 0x87d00231. CcmMessaging 11/23/2022 4:05:43 PM 11496 (0x2CE8)
I re-issued the client cert just to be sure and that does not resolve the issue.
Any thoughts on how to solve this are appreciated. I do have another server that acts as an MP so in the meantime, I have removed the MP role from the site server so that clients will be able to communicate properly.