New KB: You receive the error "The remote server returned an error: (403) Forbidden" when running MCF.exe to test the connector framework in System Center Operations Manager 2007


KBWhen executing MCF.exe to test the System Center Operations Manager Connector Framework (OMCF) configuration, the following error is returned:

Unhandled Exception: System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme ‘Anonymous’. —> System.Net.WebException: The remote server returned an error: (403) Forbidden.
   at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   — End of inner exception stack trace —

Server stack trace:
   at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory factory)
   at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory factory, WebException responseException, ChannelBinding channelBinding)
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at IConnectorFramework.GetGlobalConfiguration()
   at ConsoleApplication1.Program.Main(String[] args) in D:\ConsoleApplication1\Program.cs:line 39

Using Internet Explorer to connect to the System Center Operations Manager Connector Framework (OMCF) functions successfully when connecting to the Root Management Server using the following command:

https://RMSFQDN:51905/ConnectorFramework

where "RMSFQDN" is the Fully Qualified Domain Name of your System Center Operations Manager 2007 Root Management Server.

The following event is also logged in the System Event Log on the Root Management Server:

Event Type: Warning
Event Source: Schannel
Event Category: None
Event ID: 36885
Date: date
Time: time
User: SYSTEM
Computer: COMPUTERNAME
Description: When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

Cause

The list of Trusted Root Certificate Authorities is too large and as a result the list is truncated and the required Trusted Root Certificate Authority is not recognized.

Resolution

To resolve this issue, remove some entries from the Trusted Root Certificate Authorities listing by following the steps below:

  1. Click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in, and then click Add.
  3. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
  4. Click Computer account, click Next, and then click Finish.
  5. Click Close, and then click OK.
  6. Under Console Root in the Microsoft Management Console (MMC) snap-in, expand Certificates (Local Computer), expand Trusted Root Certificate Authorities, and then click Certificates.
  7. Delete trusted root certificates that you do not need to have.  To do this, right-click a certificate, click Delete, and then click Yes to confirm the removal of the certificate.

The following article shows which certificates are required by Windows.  Do not remove any of these certificates.

KB293781: Trusted root certificates that are required by Windows Server 2008 R2, by Windows 7, by Windows Server 2008, by Windows Vista, by Windows Server 2003, by Windows XP, and by Windows 2000 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;293781).

Once this list is trimmed, executing MCF.exe <RMSFQDN> <certificate> should return a message similar to the following:

Successfully Connected to MCF. Here is the Global Configuration:
Name=<certificate name>, Guid=<GUID>

More Information

The following Knowledge Base article outlines how to configure System Center Operations Manager Connector Framework to use SSL.

KB957562: How to configure the Operations Manager Connector Framework to use Security Sockets Layer (SSL) functionality in System Center Operations Manager 2007 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;957562).

=====

For the latest version of this article see the link below:

KB2461666 – You receive the error "The remote server returned an error: (403) Forbidden" when running MCF.exe to test the connector framework in System Center Operations Manager 2007

J.C. Hornbeck | System Center Knowledge Engineer

The App-V Team blog: http://blogs.technet.com/appv/
The WSUS Support Team blog: http://blogs.technet.com/sus/
The SCMDM Support Team blog: http://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/
The SCVMM Team blog: http://blogs.technet.com/scvmm/
The MED-V Team blog: http://blogs.technet.com/medv/
The DPM Team blog: http://blogs.technet.com/dpm/
The OOB Support Team blog: http://blogs.technet.com/oob/
The Opalis Team blog: http://blogs.technet.com/opalis

clip_image001 clip_image002

Comments (1)

  1. show box says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    http://showboxandroids.com/showbox-apk/
    http://showboxappandroid.com/
    Latest version of Showbox App download for all android smart phones and tablets.
    http://movieboxappdownloads.com/ – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    http://showboxappk.com/showbox-for-ipad-download/
    http://showboxappk.com/showbox-for-iphone/
    Showbox for PC articles:
    http://showboxandroids.com/showbox-for-pc/
    http://showboxappandroid.com/showbox-for-pc-download/
    http://showboxforpcs.com/
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
    it doesn’t charge cash for watching films and recordings.
    http://www.showboxforipad.org/showbox-apk/ Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android. The above
    all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on ‘Obscure sources’.
    http://www.showboxforipad.org/
    http://movieboxappdownloads.com/moviebox-apk-android/
    http://movieboxappdownloads.com/download-moviebox-pc/
    Movie Box, an esteemed movies application in which you can find stacks of programs and films. The guide is given here to download Movie Box app to Android and to Apple iOS 9.0.2, iOS 8.4/8.3 and also for the lower versions without Jailbreak.
    http://showboxforiphone.org/
    Please do login to Showbox application with the help of Ymail. You can login in Ymail from here –
    http://ymaillogintips.com/
    Sign Up & Do registration for latest movies on Showbox application