5436 errors for my MP
Heaton, Joseph@Wildlife
Starting Saturday, the 7th, we’ve been getting 5436 messages for the SMS_MP_CONTROL_MANAGER component. I spoke with our DBA, and he didn’t make any changes to SQL. I verified that the account used for MP has the highest of access to SQL, so don’t think that’s the issue. When I try to browse to: http://server/sms_mp/.sms_aut?mplist or mpcert, I get a 403.4 error, Forbidden. The error states that the requested website requires SSL. If I change to https:// I do get results. But, I’m thinking that’s wrong? I do have the MP configuration setup to use HTTPS. If I look at SSL settings for SMS_MP and all the components starting with SMS_MP, they all require SSL.
Is this an incorrect configuration? I know we didn’t change anything in here last Friday, and the errors started Saturday. And, none of my clients are downloading this month’s patching, and ccmcache shows that 1/6 is the last time anything made it to ccmcache.
The components that are showing as Critical are:
SMS_Distribution_Manager – with all the power outages from the storm, there have been multiple DPs around the state that were down, and are back. I see no other error messages here.
SMS_MP_CONTROL_MANANGER – Which I spoke of above.
SMS_PACKAGE_TRANSFER_MANAGER – Again, with the power outages, it has failed to update specific packages on specific DPs, then later succeeds, so nothing of concern here.
Again, we didn’t change anything, at least that anyone is admitting to, in the recent past. We’re not sure why these errors started Saturday, and why client machines are no longer receiving anything in ccmcache. Any help/advice/tips would be appreciated, as I continue digging through Google. And, if anyone else has gone to HTTPS on the MP configuration, I would greatly appreciate if you could share what your IIS SSL settings are for the SMS_MP components.
Thanks,
Joe Heaton
Managed Services and Operational Support Unit
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA 95811
Desk: 916-919-5816
Heaton, Joseph@Wildlife
I’ve uninstalled/reinstalled the MP role, with no success. Looking in the MPControl.log file, I see this:
>>> Selected Certificate [Thumbprint blahblablah] issued to 'Server' for HTTPS Client Authentication
Then, the very next line:
Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden
So, I’m assuming that the certificate the MP has selected has some kind of issue? Looking up at the list of validations, it validated several certificates, but for some reason chose this one. Is there a way to force it to use a different cert, in order to test if it is this specific cert that is causing the issue?
We also had a power incident in our datacenter, and our TR location, so ended up losing a few VM guests, one of which was the server that issued the certificate that the MP is selecting. Could that cause this issue, as that server is still offline? It looks like it could be powered on, so I can ask the Infrastructure team to bring it online.
From: ntsyste...@googlegroups.com <ntsyste...@googlegroups.com>
On Behalf Of Heaton, Joseph@Wildlife
Sent: Thursday, January 12, 2023 10:12 AM
To: ntsyste...@googlegroups.com
Subject: [ntsystemcenter] 5436 errors for my MP
WARNING: This message is from an external source. Verify the sender and exercise caution when clicking links or opening attachments.
--
You received this message because you are subscribed to the Google Groups "ntsystemcenter" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsystemcente...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ntsystemcenter/SJ0PR09MB66860C86D2D043761DBC7CC4AAFD9%40SJ0PR09MB6686.namprd09.prod.outlook.com.