ConfigMgr 1511 MP Troubleshooting – HTTP test request failed, status code is 403. “Forbidden” – Managing MAC OSx

I have recently faced following issue “HTTP test request failed, status code is 403. “Forbidden” ” on Management Point and was not Abel to connect MAC OSx Devices to the MP. To fix this issue, I followed the below steps and maybe you can do so.

Issue

We have HTTPS enabled on the Management Point for managing MAC OSx Clients and it is still not able authenticate. Due to this it is reporting this error.

The MPControl.log is reporting following error:
“Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden” “HTTP test request failed, status code is 403. ‘Forbidden”

error1

Solution

Look at the IIS Log files under your inetpub folder for more details of the error. The log files are located under  (C or D drive)  \inetpub\logs\Logfiles\W3SVC1

As you see in the below highlighted line error code 403 13, which indicates an issue with Client Certificate Revocation (CRL) Check on IIS.

error2

To fix this issue disable the Revocation check. Client Certificate Revocation is enabled by default. We need to delete all existing bindings on IIS and readd them again. The easiest way to do this is using the netsh command.

  1. Run the below command line and make a note of the details
    netsh http show sslcert
    blog_060115_3
  2. Delete existing SSL bindings
    netsh http delete sslcert ipport=0.0.0.0:443
    blog_060115_4
  3. Readd SSL binding and disable CRL check
    netsh (enter)
    http add sslcert ipport=0.0.0.0:443 certhash= 6cfa619aa7cb9eed29d1ccb0ec783ee40d20281c appid={4dc3e181-e14b-4a21-b022-59fc669b0914}  certstorename=My  verifyclientcertrevocation=disable
    blog_060115_5
  4. Run “netsh http show sslcert” again to check the status of the CRL check
    blog_060115_6
  5. Check the mpcontrol.log. The error is gone.

Tray again to connect your MAC OSx ConfigMgr Client to your ConfigMgr Primary Site Server. You should now be able to connect. Your MAC will also appear in the ConfigMgr console.

blog_060115_7.PNG

Connection to ConfigMgr established:

blog_060115_9.PNG

Now manage your MAC under “Devices” in the ConfigMgr Console:

blog_060115_8

Use this as a workaround if you’re not able to publish the CRL for your Site Servers.

Enjoy ConfigMgr!

 

House of cards – new WSUS Option in ConfigMgr 1511

In the past we used the guide from Kent Agerlund (MVP) for cleaning up the WSUS Database in ConfigMgr, also called the house of cards! This guide is still very popular and of course necessary for having a correct configured WSUS Server. As Kent mentioned, you should do the cleanup task every Monday morning before you start any other work :-)!

But now we got a new option in ConfigMgr 1511 when we setup the Software Update Point. This will allow ConfigMgr to cleanup the WSUS Database and remove any obsolet updates from the WSUS DB.

1

To enable and run the WSUS cleanup job

  1. In the Configuration Manager console, navigate to Administration > Overview > Site Configuration > Sites.

  2. Click Configure Site Components in the Settings group, and then click Software Update Point to open Software Update Point Component Properties.

  3. Click the Supersedence Rules tab, select Run WSUS cleanup wizard, and then click OK.

Thanks to the MS Product Team to integrate this feature in future ConfigMgr versions!

 

 

ConfigMgr 2012 R2 SP1 Application Catalog promts for cridentials

sccm2012_logo.gif-1200x0[1]

If you start using the Application Catalog from Configuration Manager 2012 R2 SP1 you have to configure some settings before the users can access it.

Probably you recieve a login propt when accessing the application catalog from your client.

Solution

After installing the role and checking the logs for a successfull installtion (SMSAWEBSVCSetup.log & SMSPORTALWEBSetup.log) you have to change the client settings:

  • Change the “Computer Agent” settings:

1

  • Select your Application Catalog website:
2
  • Add your Application Catalog website to your clients by using Group Policy:
3
This steps will allow you to use the Application Catalog without any logon prompts. Configure also your Enterprise Mode settings when you use Windows 10 EDGE Browser. EDGE does not support Silverlight but the Software Center and the Application Catalog is using Silverlight.
Cheers
Al

New blog

After blogging on sccmfaq.ch I finally started my own blog – blog.alschneiter.com. I’m focused on all the new and rising Microsoft Windows Client technologies. This includes stuff like, Windows 10, Configuration Manager (ConfigMgr), EMS, Office365, Azure RemoteApps, Remote Desktop Services (RDS), MDOP and much more! Just the modern workplace. Any questions to me? Feel free to contact me using this blog or twitter!

And, don’t miss all the technical deep dives, technical news and also some fun stuff. Subscribe right now!

Cheers,
Al

itnetX_portraits_2015_14