I was setting up a Configuration Manager environment in HTTPS mode and I was running into issues with the server selecting a client authentication certificate.
I was seeing these messages in the MPControl.log.
I was seeing this message in the IIS log.
I was getting a 2148204809 error which translates to A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. That told me something was wrong with the root CA trust. Some searching online brought up a few useful posts on the subject.
https://stackoverflow.com/questions/26247462/http-error-403-16-client-certificate-trust-issue
It turned out that the environment had a group policy that was installing Intermediate CA certificates into the Trusted Root CA store. So the solution was to move the intermediate certificates out of the root store and into the intermediate store.
This PowerShell command can be used to find the problem certificates on the server.
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}
This command can be used to move the problem certificates out of the Trusted Root CA store and into the Intermediate CA store.
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Move-Item -Destination Cert:\LocalMachine\CA