Support Tip: A ConfigMgr 2012 Management Point enabled for SSL fails with 403 forbidden

~ Vinayak Sharma | Technical Lead

ToolsHere’s a quick tip on an interesting issue I saw the other day in case you happen to run across it.

The core issue is that an HTTPS enabled System Center 2012 Configuration Manager (ConfigMgr 2012) Management Point (MP) installed on Windows Server 2012 may not work as expected, and in the IIS logs you see a 403.16 status code which resolves to ‘Client certificate is untrusted or invalid.’ The Mpcontrol.log will also show the following:

Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden
Http test request failed, status code is 403, 'Forbidden'.

This can occur if  IIS is not configured to use a Certificate Control List (CTL). Without a CTL, SSL client certificate authentication will fail with the 403.16 error mentioned above because SChannel.dll wrongly considers the client certificate to be untrusted.

NOTE: Having no CTL in use is the default configuration of IIS 8.0. This is configured by having no SendTrustedIssuerList present or by setting SendTrustedIssuerList=0.

This can also occur there is a non self-signed certificate in the 'Trusted Root Certification Authorities' certificate store.


To resolve this issue we need to have these two registries created on the MP server.



Also make sure that there is no self-signed certificate in the 'Trusted Root Certification Authorities' certificate store. To verify this, open MMC and add the certificate snap-in. Navigate to 'Trusted Root Certification Authorities'. There should not be any certificate where 'Issued to' and 'Issued by' is not matching. If there is one, it is safe to delete that certificate.

Vinayak Sharma | Technical Lead | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up:
System Center – Configuration Manager Support Team blog:
System Center – Data Protection Manager Team blog:
System Center – Orchestrator Support Team blog:
System Center – Operations Manager Team blog:
System Center – Service Manager Team blog:
System Center – Virtual Machine Manager Team blog:

Windows Intune:
WSUS Support Team blog:
The AD RMS blog:

App-V Team blog:
MED-V Team blog:
Server App-V Team blog:

The Forefront Endpoint Protection blog :
The Forefront Identity Manager blog :
The Forefront TMG blog:
The Forefront UAG blog:

Comments (8)
  1. Are these DWords, or strings that I am adding to the SCHannel Key???

    Can you be a little more specific please. Thanks

  2. J says:

    I think these should be DWORDS:…/2464556

  3. Anonymous says:

    (This comment has been deleted per user request)

  4. NP says:

    Will this be part of a fix in the next Cumulative Update?  This was a nightmare to troubleshoot.

  5. Anonymous says:

    When you have a management point configured for HTTPS on a Server 2012 platform you may receive the error

  6. RandomGuy says:

    Was this ever fixed? I had this same problem and fixed with workaround here. But, for me, this just happen all of the sudden one day. That is what I don't get.

  7. sebus says:

    NO dice, settings are there, but still get 403 on the client in IE. On server I do not see any 403 in Mpcontrol.log

  8. Brad says:

    The detail provided in this post is unacceptably poor. Why bother providing registry information when you don’t even specify what type of key to create, or whether the data you mention is a value or key?

Comments are closed.

Skip to main content