I was troubleshooting a problem with a MP today. I ran the MP Troubleshooter - Pre-Install and everything applicable passed. I had already installed SQL 2005 SP2 Standard, running under the context of a domain user account, sms_sql_user (nothing fancy, just a domain user). I manually set both FQDN and NetBIOS SQL SPNs on the user account and all other MP prerequisites were met. I installed the MP (on the site server) and there were no errors in the setup log. Great, right?
I ran the MP Troubleshooter - Post-Install and there were two similar errors: "Failed to query web site: http:// sms2003:80/SMS_MP/.sms_aut?MPLIST (Exception: The remote server returned an error: (401) Unauthorized.)"
C:\Windows\System32\LogFiles\W3SVC1\ex070712.log contained multiple lines similar to the following:
2007-07-12 18:03:20 W3SVC1 192.168.100.52 GET /SMS_MP/.sms_aut MPCERT 80 - 192.168.100.52 - 401 1 0
HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.
I was able to successfully query the SLP (e.g., http://sms2003/sms_slp/slp.dll?site&ad=Default-First-Site) so I knew IIS was functioning ok.
Manually attempting the MP query (e.g., http://sms2003/sms_mp/.sms_aut?MPLIST) returned the error: "Internet Explorer cannot download .sms_aut?MPLIST from localhost. Internet Explorer was not able to open this Internet site. The requested site is either unavailable or cannot be found. Please try again later."
I assumed it had something to do with the fact that SQL was running under the context of a domain user account and not the local system account, so that consumed most of my troubleshooting effort. Just as I was ready to wipe and reload, it occurred to me that I was using the customer's server image which may have a security template applied. Upon further investigation, it had a custom template based upon the high-security template. D'oh!
I applied C:\Program Files\SMS 2003 Toolkit 2\Security Template\HighSecurity_SMSServer.inf and all was well.