When using HTTPS, the servername and SANs used to create the certificate should be used.
Also, when browsing to the HTTPS URL, the browser session (in IE or whatever browser being used) needs to have a Client Authentication certificate assigned to it. Let me explain... When an IBCM client connects to the site systems in the DMZ, this is happening under the local system account of the OS - which has access to the Client Authentication certificate and is able to present it to the site system during the mutual authentication process e.g. The IBCM client authenticates the site system using the site system's Server Authentication certificate, and the site system authenticates the IBCM client using the client's Client Authentication certificate. Well, when you (Brian) attempt to do the same by browsing to https://server/SMS_mp/.sms_aut?mplist, you're doing so NOT by the local system account of the operating system of the computer browsing from, but under your own account used to logon to the computer. When you do that, your account (used to open the browser) does not have access to the Client Authentication certificate in the local computer's certificate cert store. The Client Authentication cert was imported into the Certificate computer store (e.g. Local system) during the PKI enrollment process...however that's being accomplished. So when you browse to the URL, the site system presents the browser (e.g. You) it's Server Authentication certificate...but your browser session (e,g. You) do not have a Client Authentication certificate to present to the site system server. ...and hence, your denied access to the page with a 403.7 Forbidden error. The key to the error message below is in the bolded-underlined parts of the error below. The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes. To get around this, you need to create or enroll with your PKI to have a Client Authentication cert created for yourself and then imported into your the User certificate store on the computer browsing from. Then you should be able to browse to the HTTPS URL... Sent from my iPad On Mar 27, 2014, at 11:04 PM, "Brian McDonald" <[email protected]<mailto:[email protected]>> wrote: Basically when I change the MP setting to HTTPS it stops working. If configured with HTTP all errors go away. Hmmm... Brian Sent from my iPhone On Mar 27, 2014, at 5:21 PM, "Brian McDonald" <[email protected]<mailto:[email protected]>> wrote: I have just installed a MP in my DMZ and have a few errors in the MPcontrol.log I'm troubleshooting. If I browse to https://server/sms_mp/.sms_aut?/mplist or http://server/sms_mp/.sms_aut?mpcert from my browser I'm getting an HTTP Error 403.7 Forbidden error. The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes. The MPcontrol.log states the following: Failed to retrieve client certificate. Error -2147467259 SMS_MP_CONTROL_MANAGER 3/27/2014 4:44:40 PM 244 (0x00F4) Call to HttpSendRequestSync failed for port 443 with -2147467259 error code. SMS_MP_CONTROL_MANAGER 3/27/2014 4:44:40 PM 244 (0x00F4) Http test request failed, error code is -2147467259. SMS_MP_CONTROL_MANAGER 3/27/2014 4:54:40 PM 244 (0x00F4) This is an IBCM MP/DP that has the following certs installed: ConfigMgr Client Cert, ConfigMgr Web Cert and ConfigMgr DP Cert. I have attempted to restart the SMS Executive Service on the MP. I have also restarted the IIS service. Any input would be greatly appreciated. Thanks, Brian ________________________________ DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of this email address. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
