CEM client fails to communicate with the SMP server using TLS 1.3. If TLS is downgraded to 1.2 client successfully establishes a connection.

ITMS 8.7

In some setups, the server denies connection during handshake because of missing client certificate.

IIS logs 403.7 error which is Forbidden: Client certificate required

It might be necessary to enable client certificate negotiation for HTTP.sys

Review the current configuration by running the following command in an elevated command prompt:  NETSH HTTP SHOW SSLCERT

Now find the corresponding CEM binding (default port 4726):

 IP:port                      : 0.0.0.0:4726
    Certificate Hash             : 3d09a06b551614acdf69e3a9987ee83a206970d4
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : My
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections           : Disabled
    Disable HTTP2                : Not Set
    Disable QUIC                 : Not Set
    Disable TLS1.2               : Not Set
    Disable TLS1.3               : Not Set
    Disable OCSP Stapling        : Not Set
    Enable Token Binding         : Not Set
    Log Extended Events          : Not Set
    Disable Legacy TLS Versions  : Not Set

Enable it with:

netsh http update sslcert ipport=0.0.0.0:4726 certhash=***a06b551614acdf69e3a9987ee83a206970d4 appid={******-e14b-4a21-b022-59fc669b0914} sslctlstorename=ClientAuthIssuer clientcertnegotiation=enable

Replace certhash and appid with values obtained previously.

ref NETSH syntax - https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-http