Here is the beginning text of the error in the event log: "MP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 403, Forbidden."
I'm banging my head against the wall for days on this one. We have a primary site server that works fine. SSL is in place and works great in our intranet. We recently spun up a server in the DMZ that's going to eventually be an external management point. However, no matter what I do, I can't get past this error. I've sorted through the IIS logs on both sides and there is no mention of 403. The CCM logs look fine on both sides. I've confirmed that ports are open. We spun up a CDP in the DMZ and reissued certificates. I've installed and uninstalled the role way more then is healthy. I've confirmed that the self signed certs are deleted out of the trusted roots folder. For 403 errors, is there any other place I can be checking to get more information on what's wrong?
REST OF ERROR TEXT:
Possible cause: Management point encountered an error when connecting to SQL Server.
Solution: Verify that the SQL Server is properly configured to allow Management Point access. Verify that management point computer account or the Management Point Database Connection Account is a member of Management Point Role (msdbrole_MP) in the SQL Server database.
Possible cause: The SQL Server Service Principal Names (SPNs) are not registered correctly in Active Directory
Solution: Ensure SQL Server SPNs are correctly registered. Review Q829868. (It's registered and works fine!)
Possible cause: Internet Information Services (IIS) isn't configured to listen on the ports over which the site is configured to communicate.
Solution: Verify that the designated Web Site is configured to use the same ports which the site is configured to use. (SSL cert is there so it can do 443)
Possible cause: The designated Web Site is disabled in IIS.
Solution: Verify that the designated Web Site is enabled, and functioning properly. (It's not disabled)
Possible cause: The MP ISAPI Application Identity does not have the requisite logon privileges.
Solution: Verify that the account that the MP ISAPI is configured to run under has not been denied batch logon rights through group policy.
For more information, refer to Microsoft Knowledge Base article 838891.
I'm banging my head against the wall for days on this one. We have a primary site server that works fine. SSL is in place and works great in our intranet. We recently spun up a server in the DMZ that's going to eventually be an external management point. However, no matter what I do, I can't get past this error. I've sorted through the IIS logs on both sides and there is no mention of 403. The CCM logs look fine on both sides. I've confirmed that ports are open. We spun up a CDP in the DMZ and reissued certificates. I've installed and uninstalled the role way more then is healthy. I've confirmed that the self signed certs are deleted out of the trusted roots folder. For 403 errors, is there any other place I can be checking to get more information on what's wrong?
REST OF ERROR TEXT:
Possible cause: Management point encountered an error when connecting to SQL Server.
Solution: Verify that the SQL Server is properly configured to allow Management Point access. Verify that management point computer account or the Management Point Database Connection Account is a member of Management Point Role (msdbrole_MP) in the SQL Server database.
Possible cause: The SQL Server Service Principal Names (SPNs) are not registered correctly in Active Directory
Solution: Ensure SQL Server SPNs are correctly registered. Review Q829868. (It's registered and works fine!)
Possible cause: Internet Information Services (IIS) isn't configured to listen on the ports over which the site is configured to communicate.
Solution: Verify that the designated Web Site is configured to use the same ports which the site is configured to use. (SSL cert is there so it can do 443)
Possible cause: The designated Web Site is disabled in IIS.
Solution: Verify that the designated Web Site is enabled, and functioning properly. (It's not disabled)
Possible cause: The MP ISAPI Application Identity does not have the requisite logon privileges.
Solution: Verify that the account that the MP ISAPI is configured to run under has not been denied batch logon rights through group policy.
For more information, refer to Microsoft Knowledge Base article 838891.
