The following are potential issues with Configuration Manager 2007 management point site systems that provide client computers with installation prerequisites, client installation source files, configuration details, advertisements, and software distribution package source file locations. Additionally, management points receive inventory data, software metering information, and status and state messages from clients. If clients cannot access or communicate correctly with a management point, they will be unmanaged.

Regardless of the number of management point site system roles installed on site systems in a site, clients only communicate with the default management point or proxy management point (intranet clients) or their assigned Internet management point (Internet-based clients).

Important
You must download, install, and configure WebDAV manually on management points that are running Windows Server 2008. For more information, see How to Configure Windows Server 2008 for Site Systems.

For additional troubleshooting help, use the Management Point Troubleshooter from the System Center Configuration Manager 2007 Toolkit V2 (http://go.microsoft.com/fwlink/?LinkId=201513). Before you run the Management Point Troubleshooter for a site in native mode, export a certificate with client authentication capability to a file that can be accessed from the computer that runs the Management Point Troubleshooter.

Clients Cannot Access the Default or Assigned Internet-Based Management Point

For successful client computer installation and management, clients must be able to connect to the default or assigned management point computer.

Solution

To verify that a client can access the management point, use the Web browser installed on the client to connect to the management point list address and verify that the list of installed management points for the site is displayed.

Warning
If the site is in native mode, you must install a certificate in the Web browser before you run these commands or the connection will fail as described in the Troubleshooting section An Internet Explorer Error Occurs When Troubleshooting Management Point Communication for Sites Configured to Operate in Native Mode.
  • For mixed mode clients, use the following: http://<ServerName>/sms_mp/.sms_aut?mplist, where <ServerName> is the NetBIOS name for the management point computer.

  • For intranet-based, native mode clients, use the following: https://<ServerName>/sms_mp/.sms_aut?mplist, where <ServerName> is the FQDN for the management point computer if an FQDN is specified in the site system properties or the short name if an FQDN has not been specified.

  • For Internet-based clients, use the following: https://<ServerName>/sms_mp/.sms_aut?mplist, where <ServerName> is the Internet FQDN for the Internet-based management point computer.

    Important
    If a site is configured to use a custom Web site, the custom port must also be used, as in the following example: http://<ServerName>:<port>/sms_mp/.sms_aut?mplist.

Clients Cannot Communicate with the Default or Assigned Internet-Based Management Point

For successful client computer installation and management, Configuration Manager 2007 clients must trust the management point computer. When clients communicate with a management point, the management point certificate is verified by clients to establish the trustworthiness of data sent by the site system to clients.

Note
In mixed mode sites, a management point certificate is created and signed by the site's trusted root key to enable clients to trust the management point site system. In native mode sites, the Web server certificate installed on the management point is signed by a certification authority that is trusted by the clients.

Solution

To verify that a client can view the management point certificate, use the Web browser on the client to verify that the management point certificate information (a long list of numbers and letters) is displayed.

Warning
If the site is in native mode, you must install a certificate in the Web browser before you run these commands or the connection will fail as described in the Troubleshooting section An Internet Explorer Error Occurs When Troubleshooting Management Point Communication for Sites Configured to Operate in Native Mode.
  • For mixed mode clients, use the following: http://<ServerName>/sms_mp/.sms_aut?mpcert, where <ServerName> is the NetBIOS name for the management point computer.

  • For intranet-based, native mode clients, use the following: https://<ServerName>/sms_mp/.sms_aut?mpcert, where <ServerName> is the FQDN for the management point computer if an FQDN has been specified in the site system properties or the short name if an FQDN has not been specified.

  • For Internet-based clients, use the following: https://<ServerName>/sms_mp/.sms_aut?mpcert, where <ServerName> is the Internet FQDN for the Internet-based management point computer.

    Important
    If a site is configured to use a custom Web site, the custom port must also be used, as in the following example: http://<ServerName>:<port>/sms_mp/.sms_aut?mpcert.

An Internet Explorer Error Occurs When Troubleshooting Management Point Communication for Sites Is Configured to Operate in Native Mode

When troubleshooting native mode management points by using the MPLIST and MPCERT troubleshooting Web addresses, you receive a Microsoft Internet Explorer error similar to the following:

  • Internet Explorer cannot download .sms_aut?/mplist from <management point name>

  • Internet Explorer was not able to open this Internet site. The requested site is either unavailable or cannot be found. Please try again later

Solution

Native mode client-to-server communication with a management point requires mutual authentication by using computer PKI certificates. Because Web browsers do not grant access to certificates in the computer store, you must export a computer certificate with the private key from the computer store and import it into the Web browser. This enables the management point to authenticate the Web browser that is using the MPLIST and MPCERT troubleshooting tests.

The following procedures can be used to import a computer certificate into the client computer Web browser if it is using Microsoft Internet Explorer:

  • Export the client certificate.

  • Import the client certificate into the client computer's Internet Explorer personal certificate store.

To export the native mode client certificate from computers running Windows 7 or Windows Vista

  1. On the native mode client that is running Windows Vista and will be used to test management point communication, log on as a local administrator, click Start, type MMC into the Search box, and then press ENTER.

  2. In the empty console, click File, and then click Add/Remove Snap-in.

  3. In the Add orRemove Snap-ins dialog box, select Certificates, and then click Add.

  4. On the Certificates snap-in page, select Computer account, and then click Next.

  5. On the Select Computer dialog box, ensure that the option Local computer: (the computer this console is running on) is selected, and then click Finish.

  6. Click OK to close the Add or Remove Snap-ins dialog box.

  7. In the console, double-click Certificates (Local Computer) and then expand Personal.

  8. Right-click the native mode computer certificate, click All Tasks, and then click Export to start the Certificate Export Wizard.

  9. On the Certificate Export Wizard Welcome page, click Next.

  10. On the Export Private Key page, select Yes, export the private key, and then click Next.

    Note
    If this option is not available, the certificate has been created without the option to export the private key. In this scenario, you cannot export the certificate in the format that the Web browser requires to run the troubleshooting tests.
  11. On the Export File Format page, ensure that the option Personal Information Exchange - PKCS #12 (.PFX) is selected, and then click Next.

  12. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.

  13. On the File to Export page, specify the name of the file that you want to export, and then click Next.

  14. Click Finish in the Certificate Export Wizard dialog box to close the wizard.

To export the native mode client certificate from computers running Windows XP Professional or Windows Server 2003

  1. On the native mode client that is running Windows XP Professional or Windows Server 2003 and will be used to test management point communication, log on as a local administrator, click Start, click Run, type MMC in the Run dialog box, and then click OK.

  2. In the empty console, click File, and then click Add/Remove Snap-in.

  3. In the Add or Remove Snap-ins dialog box, click Add.

  4. Select Certificates from Available snap-ins, and then click Add.

  5. In the Certificates snap-in dialog box, click Computer account, and then click Next.

  6. In the Select Computer dialog box, ensure that the option Local computer: (the computer this console is running on) is selected, and then click Finish.

  7. In the Add or Remove Snap-ins dialog box, click OK.

  8. In the console, expand Certificates (Local Computer), expand Personal, and then click Certificates.

  9. Right-click the native mode computer certificate, click All Tasks, and then click Export to start the Certificate Export Wizard.

  10. In the Certificate Export Wizard, click Next.

  11. On the Export Private Key page, select Yes, export the private key, and then click Next.

    Note
    If this option is not available, the certificate has been created without the option to export the private key. In this scenario, you cannot export the certificate in the format that the Web browser requires to run the troubleshooting tests.
  12. On the Export File Format page, ensure that the option Personal Information Exchange - PKCS #12 (.PFX) is selected, and then click Next.

  13. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.

  14. On the File to Export page, specify the name of the file that you want to export, and then click Next.

  15. Click OK in the Certificate Export Wizard dialog box to close the wizard.

To import the client computer certificate into the Internet Explorer personal Certificate Store

  1. On the native mode client computer that you will use to test management point communication, open a new Internet Explorer browser window.

  2. On the Internet Explorer toolbar, click Tools, click Internet Options, and then click the Content tab.

  3. On the Content tab, click Certificates.

  4. On the Personal tab of the Certificates dialog box selected, click Import.

  5. Click Next on the Certificate Import Wizard Welcome page.

  6. On the File to Import page, click Browse, select the certificate exported in the previous procedure, and then click Next.

    Note
    To display the exported certificate, click the file name extension list and select Personal Information Exchange (*.pfx,*.p12).
  7. Enter the password specified for the certificate when it was exported, and then click Next.

  8. On the Certificate Store page, accept the default location to store the certificate (Personal certificate store), and then click Next.

  9. Click Finish to close the Certificate Import Wizard.

  10. Click OK on the Certificate Import Wizard confirmation dialog box.

  11. Close all open dialog boxes and the Internet Explorer browser window.

See Also