This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 35%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGH%3C/text%3E%3C/svg%3E)
We recently set up new microsoft endpoint manager environment. Once I switched over to https communications clients are unable to connect to the management point. I have run several tests both from clients and on the site server and see errors like the following stating that the client certificate is not trusted by the web server.
From what I can see our certificate is correct and in the right store. I am not having any issues with our web certificate. The issue is only happening with the client authentication certificate and the distribution point workstation certificate.
I did see this posted on the microsoft website regarding this error https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/health-diagnostic-performance/http-403-forbidden-access-website
When I run the powershell script outlined in the article it does identify a certificate in the root certificate authority that it thinks is problematic. However, if I go to delete it, it warns me that this is used by system components and might break something.
Anyway, I am wondering it is is safe to delete this certificate and if there are any other troubleshooting steps I might take to isolate the problem.
thanks,
Hi @Gary Hicks,
To narrow down the problem, we need more information.
1, Have you configured HTTPS successfully before that?
2, Please help upload the full log of the following logs for our reference.
Server:
Client:
Looking forward to your reply.
Best regards,
Cherry
Hi Cherry,
Attached are the logs you requested.
Hello Cherry,
Thanks for the response. I have uploaded the requested logs. mpcontrol.logMPSetup.logCcmMessaging.logClientIDManagerStartup.log
Hi @Gary Hicks,
1, Please help reboot the MP server. MP will be reinstalled after HTTPS is enabled. According to the MPSetup.log, a reboot is required before the changes take effect. The screenshot for your reference.
Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden
Http test request failed, status code is 403, 'Forbidden'.
2, From the mpcontrol.log, the above error can be caused by many reasons. Please help check the IIS Log files under your inetpub folder for more details of the error. The log files are located under (C or other drive) \inetpub\logs\Logfiles\W3SVC1
Besides, the following similar threader for your reference:
https://blog.matrixpost.net/__trashed/
Note: Microsoft provides third-party contact information to help you understand the problem. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
3, Please help check if the certificate “28a5c21f2a9a4506f8336a95bc6b996b58c89887” is the MP server certificate you are using.
4, How did you deploy the certificate? According to the client's logs you provide, the client has not applied the certificate successfully and is still access the server using the http. We can also check it from the following window.
For more information about how to enable the HTTPS in SCCM, we can refer to this link:
how to enable the HTTPS in SCCM
Note: Microsoft provides third-party contact information to help you understand the problem. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Looking forward to your feedback.
Best regards
Cherry
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Cherry, yes, I saw that message and had already rebooted the server. One of our sysadmins found the following blog, https://configmgrblog.com/2014/02/23/configmgr-2012-r2-internet-facing-mp-windows-server-2012-r2-note/ which is a similar solution to the link you posted from alschneiter.com above. This seems to resolve the issue, although it would seem like this is some kind of bug? Not sure if there is an update to windows server or sccm that addresses this issue?
thanks,
Hi @Gary Hicks,
Is your MP located on the Internet? Please help check if you have checked the option “Clients check the certificate revocation list (CRL) for site systems” on the site properties page. The screenshot for your reference:
Thanks for your time.
Best regards,
Cherry