I recently assisted a client with a very specific issue blocking client communication to the Configuration Manager 2012 Management Points.

During my investigation I found there was no suitably ranked article and so here is the issue outline and resolution.

Key error codes:-

  • Client – Failed to receive HTTPS response. (Error at WinHttpReceiveResponse: 12029) Error 0x80072efd
  • Server – (In IIS inetsrv logs) – 2015-05-07 13:28:55 {IP} PROPFIND /CCM_Client – 443 – {IP} ccmsetup – 500 0 64 0 0

Environment:-

  • You have client certificates / HTTPS (PKI) Authentication enabled for the Configuration Manager site and Site Systems.
  • Some or none of the clients are able to communicate with the Management Point.
  • The client has a valid Client Certificate (Subject Name, Not Expired, CRL Checking possible, Not revoked, Trusted CA on Client and SCCM)
  • The Management Point has a valid Server Certificate (Subject Name, Not Expired, CRL Checking possible, Not revoked, Trusted CA on Client and SCCM)

Symptoms:-

  • Within any client log you receive Error 0x80072efd / Error at WinHttpReceiveResponse: 12029
  • When accessing the Management Point through Internet Explorer to https://{MP Server FQDN} on the affected clients the connection succeeds without any SSL / Certificate issues
  • When accessing the Management Point through Internet Explorer to https://{MP Server FQDN}/CCM_Client on the affected clients the connection fails and no page is rendered.
  • When looking at the most current C:\inetsrv\Logs\{Website ID}\{Logname} you see that a HTTP 500 code is logged. For example {IP} PROPFIND /CCM_Client – 443 – {IP} ccmsetup – 500 0 64 0 0
  • When performing advanced tracing you see the full error as The I/O operation has been aborted because of either a thread exit or an application request. (0x800703e3)
  • When accessing the Management Point through Internet Explorer to https://{MP Server FQDN}/CCM_Client on a client which is not affected you are prompted for a client certificate.
  • Within the affected clients windows registry you find this key populated HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\DisableRenegoOnClient | DWORD=1

Issue:-

  • SSL / TLS renegotiation has been disabled.This could have been done either manually or as a result of deploying the following Microsoft KB – https://support.microsoft.com/en-us/kb/977377
  • Within the KB you will find the following statement – Internet Information Services (IIS): In certain configurations, IIS using certificate client authentication, including certificate mapping scenarios, will be affected. Site-wide client certificate authentication will not be affected and will continue to function.
  • This causes the client to attempt a connection to the Management Point IIS virtual directory. The virtual directory requires a valid client certificate and attempts to respond to the client and perform a SSL/TLS renegotiation.
  • The client abandons the session immediately which is why you receive the HTTP 500 error (The I/O operation has been aborted) because the server can no longer find the abandoned session.

Resolution

  • Modify the key to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\DisableRenegoOnClient | DWORD=0
  • Follow the guidance as outlined in https://support.microsoft.com/en-us/kb/977377