Короткая запись, на память. После перевода сайтов SCCM 2012 R2 на https для поддержки клиентов MacOS X, отвалился каталог приложений и выдавал «Cannot connect to the application server».
Знающий человек скажет, что надо переустановить обе роли с переводом на https, смотреть SMSPORTALWEBSetup.log и SMSAWEBSVCSetup.log, выполнить %windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe /-i –enable, перезапустить IIS — iisreset, но нет, не помогло и в логах ничего интересного.
Помогли логи на IIS для CMApplicationCatalog (Program Files\SMS_CCM\CMApplicationCatalog\Logs) ServicePortalWebSite.log, в котором наткнулся на строчки:
ValidateServerCert — cannot find certificate ******* in trusted people store
Could not establish trust relationship for the SSL/TLS secure channel with authority ‘sccm.***.ru’
Смотрим — netsh http show sslcert
[plain]
SSL Certificate bindings:
————————-
IP:port : 0.0.0.0:443
Certificate Hash : ***
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : 0.0.0.0:8172
Certificate Hash : ****
Application ID : {00000000-0000-0000-0000-000000000000}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : 192.168.1.3:443
Certificate Hash : ***
Application ID : {1d40ebc7-1983-4ac5-82aa-1e17a7ae9a0e}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : [::]:443
Certificate Hash : ***
Application ID : {1d40ebc7-1983-4ac5-82aa-1e17a7ae9a0e}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
[/plain]
У нас два значения: IP:port : 0.0.0.0:443 и IP:port : [::]:443
Удаляем: netsh http delete sslcert ipport=[::]:443
И смотрим еще раз: netsh http show sslcert
[plain]
SSL Certificate bindings:
————————-
IP:port : 0.0.0.0:443
Certificate Hash : d449d2e2bd0497ea5de44d640c4e5e33cb452697
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
[/plain]
После этого каталог приложений взлетел.