4,608 questions
Solved, renew the certificate client authentication and works fine.
I think it's needed to self-test.
Regards,
Management Point with error in mpcontrol and inetpub 403 - Failed to retrieve client certificate
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 26%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Sergi Díaz Ruiz
240
Reputation points
Afternoon all !!!
I have the following issue:
Failed to retrieve client certificate. Error -2147467259 SMS_MP_CONTROL_MANAGER 17/08/2023 17:49:18 5796 (0x16A4)
Call to HttpSendRequestSync failed for port 443 with -2147467259 error code. SMS_MP_CONTROL_MANAGER 17/08/2023 17:49:18 5796 (0x16A4)
Sent summary record of SMS Management Point on ["Display=\XXXX.XXXX.COM"]MSWNET:["SMS_SITE=CAR"]\XXX.XXXX.CARREFOUR.COM\ to C:\SMS\MP\OUTBOXES\sitestat.box\fb5ht01b.SUM, Availability 1, 146076668 KB total disk space , 91179720 KB free disk space, installation state 0. SMS_MP_CONTROL_MANAGER 17/08/2023 17:49:18 5796 (0x16A4)
Http test request failed, error code is -2147467259. SMS_MP_CONTROL_MANAGER 17/08/2023 17:49:18 5796 (0x16A4)
I think is related with PKI certificated but I'm not sure and I want to know if MP need client authenticate certificate and server authenticate certificate. Server authenticate it's normal and obviously but client? It's needed? Why? When MP use it?
Have another question, in IIS logs I saw the errors, but I saw too the 200 code in HTTPS connects, how? Why?
For example:
2023-08-17 12:07:39 1x.7x.7x.x4 CCM_POST /BGB/handler.ashx RequestType=Continue 443 - 1X.7X.7X.XX4 ccmhttp - 403 7 0 1690 15
2023-08-17 12:07:39 1x.7x.7x.x4 GET /SMS_MP_TOKENAUTH/.sms_aut MPKEYINFORMATIONEX 443 - 1X.7X.7X.XX4 SMS+CCM+5.0 - 200 0 0 5301 15
2023-08-17 12:07:39 1x.7x.7x.x4 CCM_POST /BGB/handler.ashx RequestType=Continue 443 - 1X.7X.7X.XX4 ccmhttp - 200 0 0 1402 46
2023-08-17 12:07:39 1x.7x.7x.x4 CCM_POST /BGB/handler.ashx RequestType=Continue 443 - 1X.7X.7X.XX4 ccmhttp - 200 0 0 538 221264
2023-08-17 12:07:39 10.71.75.x4 GET /SMS_MP/.sms_aut MPCERT2 443 - 1X.7X.7X.XX4 SMS+CCM+5.0 - 403 7 0 1589 15
2023-08-17 12:07:39 1x.7x.7x.x4 GET /SMS_MP_TOKENAUTH/.sms_aut MPCERT2 443 - 1X.7X.7X.XX4 SMS+CCM+5.0 - 200 0 0 6133 0
2023-08-17 12:07:40 1x.7x.7x.x4 CCM_POST /BGB/handler.ashx RequestType=Continue 443 - 1X.7X.7X.XX4 ccmhttp - 403 7 0 1690 15
I understand the 200 code is a request to get the token but when try to post we get the error because certified is expired. So... Where in Microsoft documentation is explained why we need client authentication certificate in MP? I don't see nothing about :(
Can someone help me ?
TIA!!!
Microsoft Security Intune Configuration Manager Other
3 answers
Sort by: Most helpful
-
-
Pavel yannara Mirochnitchenko 13,331 Reputation points MVP2023-08-19T09:40:46.5833333+00:00 I do remember that CM server requires also client cert from PKI. Start from here: https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/certificates-overview
Look into this as well: https://www.prajwaldesai.com/deploy-pki-certificates-for-sccm-2012-r2/
You should first check, what cert is binded in IIS for 443 port.
-
Sergi Díaz Ruiz 240 Reputation points
2023-08-21T08:10:03.0633333+00:00 Morning!! My 443 binding is ok. Not expired and working fine. I think is a problem with client certificate, but I don't understand why.... Why the server need client certificate? I remember that server haven't configured client certificate before (I think)...
But look the mpcontrol.log:
Client authentication is also enabled. SMS_MP_CONTROL_MANAGER 21/08/2023 10:08:01 7284 (0x1C74)Machine name is 'XXXXXXXXXXXX'. SMS_MP_CONTROL_MANAGER 21/08/2023 10:08:01 7284 (0x1C74)
There are no certificate(s) that meet the criteria. SMS_MP_CONTROL_MANAGER 21/08/2023 10:08:01 7284 (0x1C74)
Performing machine FQDN to SAN2 search. SMS_MP_CONTROL_MANAGER 21/08/2023 10:08:01 7284 (0x1C74)
Certificate doesn't have SAN2 extension. SMS_MP_CONTROL_MANAGER 21/08/2023 10:08:01 7284 (0x1C74)
Begin validation of Certificate [Thumbprint XXXXXXXXX3f56fec9188439ae43b9356] issued to 'XXXXXXXX' SMS_MP_CONTROL_MANAGER 21/08/2023 10:08:01 7284 (0x1C74)
Certificate doesn't have "SSL Client Authentication" capabilities. SMS_MP_CONTROL_MANAGER 21/08/2023 10:08:01 7284 (0x1C74)
-
Pavel yannara Mirochnitchenko 13,331 Reputation points MVP
2023-08-21T08:37:28.2166667+00:00 I think you should have certificate in mmc cets \ computer \personal. Same you use for IIS. It has been 5 years when I did this myself, so I can't remember.
Sign in to comment -
-
Simon Ren-MSFT 40,341 Reputation points Microsoft External Staff2023-08-23T08:15:14.5633333+00:00 Hi,
Thanks very much for your feedback and sharing. We're glad that the issue is gone now. It's appreciated that you could click "Accept Answer" to the helpful reply, this will help other users to search for useful information more quickly. Here's a short summary for the problem.
Problem/Symptom:
The error below is generating in mpcontrol.log:
Failed to retrieve client certificate. Error -2147467259
Call to HttpSendRequestSync failed for port 443 with -2147467259 error code.
Solution/Workaround:
Renew the certificate client authentication and works fine.
Thanks again for your time. Have a nice day!
Best regards,
Simon
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.