Customer running a Windows 2012 SMP server could not get CEM agent to connect.  The agent would fail with the following errors:

Attempted CEM nsagent certificate negotiation failed.

HTTP status 403: The client does not have sufficient access rights (0X8FA10193)

Attempted CEM nsagent certificate negotiation failed.  

HTTP status 403: The client does not have sufficient access rights (0X8FA10193)

Windows Server 2012

IT Management Suite (ITMS) 8.0 HF3 and 8.1 RU2

https://technet.microsoft.com/en-us/library/hh831771(v=ws.11).aspx explains changes that were made to how Windows 2012 works with certificates.   Under the "What works differently" section of the article they added a client authentication issuers store.  On this machine we looked in the Client Authentication Issuers store and noticed that the agent CA was missing.

The agent CA was located in the trusted root certificate store so we exported it with the private key and imported it into the Client Authentication Issuers store and resolved the problem. 

Another possible solution to this issue is adding the SCHANNEL registry keys to the notification server as outlined in:

https://support.symantec.com/en_US/article.TECH227194.html

If you are experiencing this problem in 8.1 Release Update (RU) 2 version, upgrade to RU3 using DOC10605.