Here is an interesting one I saw the other day. We had a Management Point setup to support Internet clients, and while everything seemed to be setup correctly we kept seeing the error “Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden” in the MPControl.log:
There is only one certificate in the store. SMS_MP_CONTROL_MANAGER 1/16/2009 12:04:59 AM 4488 (0x1188)
CryptVerifyCertificateSignatureEx returned error 0x80090006. SMS_MP_CONTROL_MANAGER 1/16/2009 12:04:59 AM 4488 (0x1188)
Certificate has "SSL Client Authentication" capability. SMS_MP_CONTROL_MANAGER 1/16/2009 12:04:59 AM 4488 (0x1188)
Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden SMS_MP_CONTROL_MANAGER 1/16/2009 12:04:59 AM 4488 (0x1188)
Successfully performed Management Point availability check against local computer. SMS_MP_CONTROL_MANAGER 1/16/2009 12:04:59 AM 4488 (0x1188)
Initialization unsuccessfully completed within the allowed interval. SMS_MP_CONTROL_MANAGER 1/16/2009 12:04:59 AM 4488 (0x1188)
So after we saw this the prime suspect was the certificate but they seemed to have been correctly configured per Certificate Requirements for Native Mode:
Next we took a look at the IIS.log file and found this:
2009-01-16 15:45:13 W3SVC1 xx.xx.xx.xx CCM_POST /ccm_system/request - 443 – xx.xx.xx..xx ccmhttp 403 16 2148204809
2009-01-16 15:48:05 W3SVC1 xx.xx.xx.xx CCM_POST /ccm_system/request - 443 – xx.xx.xx.xx ccmhttp 403 13 2148081683
Tracking down these two errors in IIS led us here:
403.13 Client Certificate Revoked
This error message means that the client sent a certificate, but either the certificate shows up as revoked in the issuing authority's Certificate Revocation List or the server could not retrieve a CRL from the issuing authority.
By default, Internet Information Services (IIS) checks to see if the client certificate that is being presented has been revoked. It does this by downloading the client certificate's Certificate Revocation List (CRL) from a Certificate Distribution Point (CDP) that is listed as part of the client certificate. If IIS is unable to download at least one of the CRLs of the client certificate, the HTTP error message is displayed in the client's browser.
403.16 - Client certificate is un trusted or invalid
This error message is primarily generated when the certificate that the client provided is improperly formed. It can also be generated if there are intermediate certification authorities in the certificate chain that are not trusted by the Web server. See KB294305 - IIS returns HTTP "403.13 Client Certificate Revoked" error message although certificate is not revoked.
There are two potential solutions to this:
Solution 1: This can occur if we cannot reach the CDP for the CRL from the web server in question. If this is the case, look at the certificate properties CRL Distribution Point and make sure you can reach the URL mentioned.
Solution 2: Turn off CRL checking on the web server. You can do this by running the following command:
cscript adsutil.exe Set W3SVC\CertCheckMode 1
Once you do this be sure to restart the web services. One note of caution on this one though. Turning off CRL checking can pose a security risk so be sure you fully understand the ramifications of turning off CRL checking before pursuing this solution. This is not recommended and is included here for testing purposes only.
Hope this helps,
Jeevan Bisht | Support Escalation Engineer