Share via

Client not getting updates

Ahmed Essam 201 Reputation points
2021-08-08T23:49:55.547+00:00

Hi,

We recently faced a new issue with our ConfigMgr Clients, we are using PKI to secure the communication

On the client's side, we checked Policyagent.log and we have that the client is unable to download policies with the following error

BITS error: 'HTTP status 403: The client does not have sufficient access rights to the requested server object.\n' Context: 'The error occurred while the remote file was being processed.\n'";

DTS job '{7D9720E2-D706-4AB5-A83E-6D528E7D18EA}' is finished for 5 files. ReturnCode: 0x80190193, Message: 'BITS error: 'HTTP status 403: The client does not have sufficient access rights to the requested server object.
' Context: 'The error occurred while the remote file was being processed.

LocationService.Log

[CCMHTTP] ERROR: URL=https://MPSRV.Domain.local/SMS_MP/.sms_aut?SMSTRC, Port=443, Options=1472, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE
[CCMHTTP] ERROR INFO: StatusCode=403 StatusText=Forbidden

IIS Log on ConfigMgr Server

/SMS_MP/.sms_pol %7B010000FF%7D-%7BPER%7D.3_00 443 - 10.29.83.35 Microsoft+BITS/7.8 - 403 16 2148204809 190 31 IIS Log

BITS_POST /CCM_Incoming/{51F4BA0E-16D4-4453-A048-9818C17806F3} - 443 - 10.29.82.66 Microsoft+BITS/7.8 - 403 7 64 0 15

GET /SMS_MP/.sms_aut MPKEYINFORMATIONEX 443 - 10.16.4.72 SMS+CCM+5.0 - 403 16 2148204809 1423 15

Thanks,

Microsoft Configuration Manager
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amandayou-MSFT 11,051 Reputation points
    2021-08-09T06:56:25.187+00:00

    Hi @Ahmed Essam

    This may be caused by having non self-signed certificates in the trusted root certificate store on the SMP server.

    Please navigate to Microsoft Management Console with the certificate snapshot. When reviewing a certificate you can open the certificate and look at the general tab. If the Issued to: and the Issued by: are from the same name then it is a self signed root certificate. If the Issued to: and the Issued by: are not the same name then it is not a root certificate and should be moved to the appropriate certificate store.

    121533-89.png

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Rahul Jindal [MVP] 9,281 Reputation points MVP
    2021-08-09T21:48:50.117+00:00

    Any errors in ccmmessaging?

  3. Rahul Jindal [MVP] 9,281 Reputation points MVP
    2021-08-10T21:39:44.317+00:00

    Issue does appear to be with pki cert missing on the device in question. Is the cert enrolled on the device? What version of CB are running? May be consider Ehttp with token based authentication instead. It is not same as PKI but makes the setup simpler.

    0 comments