New KB: You receive the error "The remote server returned an error: (403) Forbidden" when running MCF.exe to test the connector framework in System Center Operations Manager 2007
When executing MCF.exe to test the System Center Operations Manager Connector Framework (OMCF) configuration, the following error is returned:
Unhandled Exception: System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
--- End of inner exception stack trace ---Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory factory)
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory factory, WebException responseException, ChannelBinding channelBinding)
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at IConnectorFramework.GetGlobalConfiguration()
at ConsoleApplication1.Program.Main(String[] args) in D:\ConsoleApplication1\Program.cs:line 39
Using Internet Explorer to connect to the System Center Operations Manager Connector Framework (OMCF) functions successfully when connecting to the Root Management Server using the following command:
https://RMSFQDN:51905/ConnectorFramework
where "RMSFQDN" is the Fully Qualified Domain Name of your System Center Operations Manager 2007 Root Management Server.
The following event is also logged in the System Event Log on the Root Management Server:
Event Type: Warning
Event Source: Schannel
Event Category: None
Event ID: 36885
Date: date
Time: time
User: SYSTEM
Computer: COMPUTERNAME
Description: When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.
Cause
The list of Trusted Root Certificate Authorities is too large and as a result the list is truncated and the required Trusted Root Certificate Authority is not recognized.
Resolution
To resolve this issue, remove some entries from the Trusted Root Certificate Authorities listing by following the steps below:
- Click Start, click Run, type mmc, and then click OK.
- On the File menu, click Add/Remove Snap-in, and then click Add.
- In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
- Click Computer account, click Next, and then click Finish.
- Click Close, and then click OK.
- Under Console Root in the Microsoft Management Console (MMC) snap-in, expand Certificates (Local Computer) , expand Trusted Root Certificate Authorities, and then click Certificates.
- Delete trusted root certificates that you do not need to have. To do this, right-click a certificate, click Delete, and then click Yes to confirm the removal of the certificate.
The following article shows which certificates are required by Windows. Do not remove any of these certificates.
KB293781: Trusted root certificates that are required by Windows Server 2008 R2, by Windows 7, by Windows Server 2008, by Windows Vista, by Windows Server 2003, by Windows XP, and by Windows 2000 (https://support.microsoft.com/default.aspx?scid=kb;EN-US;293781).
Once this list is trimmed, executing MCF.exe <RMSFQDN> <certificate> should return a message similar to the following:
Successfully Connected to MCF. Here is the Global Configuration:
Name=<certificate name>, Guid=<GUID>
More Information
The following Knowledge Base article outlines how to configure System Center Operations Manager Connector Framework to use SSL.
KB957562: How to configure the Operations Manager Connector Framework to use Security Sockets Layer (SSL) functionality in System Center Operations Manager 2007 (https://support.microsoft.com/default.aspx?scid=kb;EN-US;957562).
=====
For the latest version of this article see the link below:
J.C. Hornbeck | System Center Knowledge Engineer
The App-V Team blog: https://blogs.technet.com/appv/
The WSUS Support Team blog: https://blogs.technet.com/sus/
The SCMDM Support Team blog: https://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: https://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: https://blogs.technet.com/operationsmgr/
The SCVMM Team blog: https://blogs.technet.com/scvmm/
The MED-V Team blog: https://blogs.technet.com/medv/
The DPM Team blog: https://blogs.technet.com/dpm/
The OOB Support Team blog: https://blogs.technet.com/oob/
The Opalis Team blog: https://blogs.technet.com/opalis
