MP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 403, Forbidden.

Boopathi Subramaniam 3,196 Reputation points
2020-10-21T10:24:50.98+00:00

Hi,

Below error appears in mpcontrol.log in 4 secondary site servers and not in other SCCM secondary site servers

MP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 403, Forbidden.

I checked that certificate is not expired.
33899-capture.jpg34013-1capture.jpg

34042-3capture.jpg

Please help to solve the issue.

Microsoft Configuration Manager
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ryan Steele 16 Reputation points
    2020-11-08T20:17:50.907+00:00

    I can confirm that the solution posted by @Boopathi Subramaniam solved the issue for me as well. To ensure others are able to find this answer, I am posting the text of the log messages below so it will show up more readily in a web search.

    The following is found in the mpcontrol.log file on the affected site server: 

    Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden SMS_MP_CONTROL_MANAGER 11/8/2020 11:12:47 AM 7020 (0x1B6C)  
Http test request failed, status code is 403, 'Forbidden'. SMS_MP_CONTROL_MANAGER 11/8/2020 11:12:47 AM 7020 (0x1B6C)

    The following may be found on the CcmNotificationAgent.log file on a client connecting to a Cloud Management Gateway: 

    [CCMHTTP] ERROR: URL=https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72057594037927940/bgb/handler.ashx?RequestType=LogIn, Port=443, Options=1248, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)  
[CCMHTTP] ERROR INFO: StatusCode=403 StatusText=CMGConnector_Forbidden BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)  
Raising event:  
instance of CCM_CcmHttp_Status  
{  
 ClientID = "GUID:8A5350F6-613D-4FF1-BC44-99B4B0C6969E";  
 DateTime = "20201108191531.162000+000";  
 HostName = "CONTOSO.CLOUDAPP.NET";  
 HRESULT = "0x87d0027e";  
 ProcessID = 18388;  
 StatusCode = 403;  
 ThreadID = 7220;  
};  
 BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)  
Successfully queued RefreshSecuritySettingsEvent event. BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)  
Successfully queued event on HTTP/HTTPS failure for server 'CONTOSO.CLOUDAPP.NET'. BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)  
Failed to post Login with error code 87d0027e. BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)  
Failed to signin bgb client with error = 87d0027e. BgbAgent 2020-11-08 11:15:31 AM 7220 (0x1C34)

    This issue may be affecting you if one or more certificates are returned after running the command below on your management point: 

    Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List

    Once you have verified these root certificates are not needed, you can remove them by running this PowerShell command: 

    Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Remove-Item
    3 people found this answer helpful.
  2. Fiona Yan-MSFT 2,311 Reputation points
    2020-10-22T10:46:26.963+00:00

    @Boopathi Subramaniam

    Thank you for posting in Microsoft Q&A forum.

    Have we seen the IIS log before? This error may caused when we access WebView or WebPort.When we open the log and then search "403." to see whether we could get detalied info or not?
    Here is a helpful guide for you to refer to:
    https://learn.microsoft.com/en-us/troubleshoot/iis/http-error-403-7-forbidden-web-app

    Have a nice day!

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  3. Cris Kolkman 1 Reputation point
    2021-06-23T08:41:37.22+00:00

    Hello,

    I'm having the same issues as @Bruno Martins was having, but the issue has not been solved (yet) by this solution.
    Yesterday I changed our SCCM to HTTPS only using this manual: https://gmarculescu.com/?p=81
    The only difference is our Root CA is an offline machine and we have an online Subordinate CA issuing the certificates.

    After this the clients stopped reporting to the SCCM server and they're all showing offline.
    Software Center fails to start as well:

    108555-softwarecenter.png

    Running the command below showed 3 certificates not belonging in the Root store, which led me to a wrongly configured GPO deploying Intermediate certificates to the trusted root store. 

    Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List

    After modifying the GPO and running below command the wrong certificates didn't show up anymore, also not after a gpupdate /force: 

    Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Remove-Item

    Now it is about half an hour ago that I corrected this (and rebooted the SCCM server) but it doesn't seem to make any difference, in the mpcontrol.log I still see below error:
    Call to HttpSendRequestSync failed for port 443 with status code 500, text: Internal Server Error

    Could anyone shed a light on what is going wrong/where should we look for maybe more errors?

    EDIT:
    It's taking a long time but many clients are starting to report again, so this seems to be the solution after all.
    Upcoming days I will keep an eye on the environment.

    0 comments