question

LorinDavis-2849 avatar image
0 Votes"
LorinDavis-2849 asked NickHogarth-MVP commented

Failed to connect to the CMG service

Hi,

We have deployed CMG service from standalone Primary site server version SCCM 1910 with required server authentication certificate from internal PKI. We have not uploaded client trusted root certificate as the clients are Azure AD authenticated.

Under "Certificates uploaded to the cloud service" we have not enabled Client certificate revocation as we have not published our CRL externally. The CMG service provisioning is also completed and CMG service is in Ready state. CMG service name is also added to our DNS.

However, the connection analyzer resulted in "Failed to connect to CMG service". Smsadminui.log has the error "Authentication failed because the remote party has closed the transport stream".

Please guide on this error. Certificate end looks fine, not sure what is missing. Also we have not yet installed CMG connection point due to this authentication error. Do you suggest to go ahead and install the connection point role and then run the connection analyzer ?

mem-cm-co-management
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

NickHogarth-MVP avatar image
0 Votes"
NickHogarth-MVP answered NickHogarth-MVP commented

I don't think this is related to the error, but do the clients have a trusted root certificate to trust the internal PKI cert that you used for the CMG? See https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/certificates-for-cloud-management-gateway#bkmk_cmgroot

Yes you should install the CMG connection point. Is your Management Point using HTTPS or E-HTTP?

· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LorinDavis-2849 avatar image LorinDavis-2849 ·

Yes, the clients have a trusted root to the internal PKI used for CMG.

Thank you, I have installed the CMG connection point. The MP is installed using E-HTTP. In this case the CMG connection won't require a client authentication certificate. Is this correct ?

0 Votes 0 ·
Jason-MSFT avatar image Jason-MSFT LorinDavis-2849 ·

The CMG connection point never requires a client auth cert.

0 Votes 0 ·
LorinDavis-2849 avatar image LorinDavis-2849 Jason-MSFT ·

Thank you for the response.

0 Votes 0 ·
Show more comments