SCCM – IIS Error code 403 13 2148081683

Problem:

If you see the following error in your IIS Logs (C:\inetpub\logs\LogFiles\W3SVC1), it’s possible that the CRL of your Certificate Authority isn’t reachable or valid anymore:

<IP Address> GET /SMS_MP/.sms_aut MPLIST 443 – <IP Address> SMS_MP_CONTROL_MANAGER – 403 13 2148081683 5701 18

Solution:

Export a certificate from your personal certificate store, for example, an SCCM Client Certificate to your C: drive. Open a command prompt with elevated rights and type:

certutil -url “C:\Certificate.cer”

Check if the CRL can be verified. Open the CRL manually and check that the BASE and DELTA CRL’s aren’t expired. In this case, the AD CS service wasn’t started and the Delta CRL’s were not up-to-date. The service may have been crashed because the startup type was set to “Automatic”.

SCCM – SMSPXE.log shows Untrusted certificate

Recently I found the following error in the SMSPXE.log log file on my newly created distribution point:

CryptVerifySignature failed, 80090006 SMSPXE <REMOVED TIME> 2500 (0x09C4)
untrusted certificate: <REMOVED CERTIFICATE> SMSPXE <REMOVED TIME> 2500 (0x09C4)
Failed to get information for MP: https://SCCMPRIMARY.DOMAIN.TLD. 80090006. SMSPXE <REMOVED TIME> 2500 (0x09C4)

After recreating my certificate template for the IIS Service on the primary site server, it fixed the problem. Check the online documentation of SCCM for the details of this certificate template.