Home > MS Technologies, SCCM > MPCert & MPList Access Denied Error after securing the management point by a certificate

MPCert & MPList Access Denied Error after securing the management point by a certificate


To avoid Man In the Middle (MIM) threats, it is advised to configure Management Points to use certificates to secure communications between SCCM agents and management site servers.

A very nice article describes step by step the way to follow in order to succeed the configuration.

But what are the required certificates?

* ConfigMgr Client Certificate
By default, Configuration Manager looks for computer certificates in the Personal store in the Computer certificate store.
With the exception of the software update point and the Application Catalog website point, this certificate authenticates the client to site system servers that run IIS and that are configured to use HTTPS.

* ConfigMgr Web Server Certificate
This web server certificate is used to authenticate these servers to the client and to encrypt all data transferred between the client and these servers by using Secure Sockets Layer (SSL).

So the client certificate is so important to communicate with SCCM site system servers. The agent is configured according to the parameters defined in the Client Computer Communication in such way to select The certificate with the Client Authentication capability from a given store and with some other criteria that you can define.

Now, if you want to verify that all works fine, please check the mpcontrol.log for client-server communications and mpsetup.log to verify the reinstallation of the MP according to the new configuration.

Another good manner to do that is from your browser and in this case you have to type:  https://<MP name>/sms_mp/.sms_aut?mplist to check the Management points list and here BINGO! 403 error : Access Denied.

What’s the matter?

In my introduction, I have spoken about the client certificate which is used to authenticate the client to the site server. Your agent client can select the good certificate but your browser (that plays the role as your agent) has to select the (same perhaps) that matches.

So you have to configure your browser to use this certificate. To achieve this goal, please follow these steps:

  • Export the client certificate that the SCCM agent uses with its private key in pfx format.
  • Import the exported certificate in your IE browser : Options>Internet Tools>Content>Certificates>in the personnal store import the pfx file.

Refresh your page and it works!

Categories: MS Technologies, SCCM Tags:
  1. sebus
    August 24, 2015 at 10:27 am

    Export the client certificate that the SCCM agent uses…

    And that is which one?

    • October 16, 2015 at 9:54 pm

      Hi Sebus! Sorry to be late. Generally, certificates issued based on templates that support Client authentication are suffisient. It depends on the criteria you define for the client certificates and you chose the one that corresponds.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: