You receive the error "The remote server returned an error: (403) Forbidden" when running MCF.exe to test the connector framework in System Center Operations Manager 2007

Article ID: 2461666 - View products that this article applies to.
Expand all | Collapse all

Symptoms

When executing MCF.exe to test the System Center Operations Manager Connector Framework (OMCF) configuration, the following error is returned:

Unhandled Exception: System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.
   at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace:
   at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory factory)
   at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory factory, WebException responseException, ChannelBinding channelBinding)
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at IConnectorFramework.GetGlobalConfiguration()
   at ConsoleApplication1.Program.Main(String[] args) in D:\ConsoleApplication1\Program.cs:line 39
  

Using Internet Explorer to connect to the System Center Operations Manager Connector Framework (OMCF) functions successfully when connecting to the Root Management Server using the following command:

https://RMSFQDN:51905/ConnectorFramework

where "RMSFQDN" is the Fully Qualified Domain Name of your System Center Operations Manager 2007 Root Management Server.

The following event is also logged in the System Event Log on the Root Management Server:

Event Type: Warning
Event Source: Schannel
Event Category: None
Event ID: 36885
Date: date
Time: time
User: SYSTEM
Computer: COMPUTERNAME
Description: When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

Cause

The list of Trusted Root Certificate Authorities is too large and as a result the list is truncated and the required Trusted Root Certificate Authority is not recognized.

Resolution

To resolve this issue, remove some entries from the Trusted Root Certificate Authorities listing by following the steps below:

  1. Click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in, and then click Add.
  3. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
  4. Click Computer account, click Next, and then click Finish.
  5. Click Close, and then click OK.
  6. Under Console Root in the Microsoft Management Console (MMC) snap-in, expand Certificates (Local Computer), expand Trusted Root Certificate Authorities, and then click Certificates.
  7. Delete trusted root certificates that you do not need to have.  To do this, right-click a certificate, click Delete, and then click Yes to confirm the removal of the certificate.

The following article shows which certificates are required by Windows.  Do not remove any of these certificates.

KB293781: Trusted root certificates that are required by Windows Server 2008 R2, by Windows 7, by Windows Server 2008, by Windows Vista, by Windows Server 2003, by Windows XP, and by Windows 2000 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;293781).

Once this list is trimmed, executing MCF.exe <RMSFQDN> <certificate> should return a message similar to the following:

Successfully Connected to MCF. Here is the Global Configuration:
Name=<certificate name>, Guid=<GUID>

More Information

The following Knowledge Base article outlines how to configure System Center Operations Manager Connector Framework to use SSL.

KB957562: How to configure the Operations Manager Connector Framework to use Security Sockets Layer (SSL) functionality in System Center Operations Manager 2007 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;957562).

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2461666 - Last Review: November 11, 2010 - Revision: 1.0
APPLIES TO
  • Microsoft System Center Operations Manager 2007
  • Microsoft System Center Operations Manager 2007 R2
  • Microsoft System Center Operations Manager 2007 Service Pack 1
Keywords: 
KB2461666

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com