Posts Tagged ‘Troubleshoo’

MPCert & MPList Access Denied Error after securing the management point by a certificate

October 4, 2012 2 comments


To avoid Man In the Middle (MIM) threats, it is advised to configure Management Points to use certificates to secure communications between SCCM agents and management site servers.

A very nice article describes step by step the way to follow in order to succeed the configuration.

But what are the required certificates?

* ConfigMgr Client Certificate
By default, Configuration Manager looks for computer certificates in the Personal store in the Computer certificate store.
With the exception of the software update point and the Application Catalog website point, this certificate authenticates the client to site system servers that run IIS and that are configured to use HTTPS.

* ConfigMgr Web Server Certificate
This web server certificate is used to authenticate these servers to the client and to encrypt all data transferred between the client and these servers by using Secure Sockets Layer (SSL).

So the client certificate is so important to communicate with SCCM site system servers. The agent is configured according to the parameters defined in the Client Computer Communication in such way to select The certificate with the Client Authentication capability from a given store and with some other criteria that you can define.

Now, if you want to verify that all works fine, please check the mpcontrol.log for client-server communications and mpsetup.log to verify the reinstallation of the MP according to the new configuration.

Another good manner to do that is from your browser and in this case you have to type:  https://<MP name>/sms_mp/.sms_aut?mplist to check the Management points list and here BINGO! 403 error : Access Denied.

What’s the matter?

In my introduction, I have spoken about the client certificate which is used to authenticate the client to the site server. Your agent client can select the good certificate but your browser (that plays the role as your agent) has to select the (same perhaps) that matches.

So you have to configure your browser to use this certificate. To achieve this goal, please follow these steps:

  • Export the client certificate that the SCCM agent uses with its private key in pfx format.
  • Import the exported certificate in your IE browser : Options>Internet Tools>Content>Certificates>in the personnal store import the pfx file.

Refresh your page and it works!

Categories: MS Technologies, SCCM Tags: