CEM client fails to communicate to the SMP sever
Article ID: 377693
Updated On:
Products
Issue/Introduction
CEM client fails to communicate with the SMP server.
IIS logs may contain 403;7 or 403;16 status codes.
In some situations connection is successful when downgrade TLS from 1.3 to 1.2
Environment
ITMS 8.7
Cause
In some setups, the server denies connection during handshake because of missing client certificate.
Resolution
It might be necessary to enable client certificate negotiation for HTTP.sys
Review the current configuration by running the following command in an elevated command prompt: NETSH HTTP SHOW SSLCERT
Now find the corresponding CEM binding (default port 4726):
IP:port : 0.0.0.0:4726
Certificate Hash : 3d09a06b551614acdf69e3a9987ee83a206970d4
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Disable HTTP2 : Not Set
Disable QUIC : Not Set
Disable TLS1.2 : Not Set
Disable TLS1.3 : Not Set
Disable OCSP Stapling : Not Set
Enable Token Binding : Not Set
Log Extended Events : Not Set
Disable Legacy TLS Versions : Not Set
Enable it with:
netsh http update sslcert ipport=0.0.0.0:4726 certhash=***a06b551614acdf69e3a9987ee83a206970d4 appid={******-e14b-4a21-b022-59fc669b0914} sslctlstorename=ClientAuthIssuer clientcertnegotiation=enable
Replace certhash and appid with values obtained previously.
ref NETSH syntax - https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-http
Note that replacing SSL certificate may revert changes back and will require repeating actions above to enable client certificate negotiation.
Feedback
