question

Jackster-5196 avatar image
0 Votes"
Jackster-5196 asked DanielBadstueKirk-2923 commented

Clients not communicating with CMG

Hi,

I'm trying to setup a CMG and I'm using PKI certs. I've deployed the proper certificates to the CMG and can see that they are bound in the Azure VM. I'm not using a CRL, so I unchecked those options on the CMG installation wizard and my site properties. When I use the CMG connection analyzer, everything looks good.
31317-aztest.jpg


However, when I try to use a client pointing to that CMG, I see the following in my LocationServices.log file
31345-locservlog.jpg


What certificate is missing and how do I apply it?

Thanks!

mem-cm-site-deployment
aztest.jpg (32.5 KiB)
locservlog.jpg (40.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimonRenMSFT-3639 avatar image
0 Votes"
SimonRenMSFT-3639 answered SimonRenMSFT-3639 edited

Hi,

Thank you for coming Microsoft MECM Q&A forum.

May we know which version of SCCM you are using and how did you setup the SCCM client? If possible, please try the following command to install the client:
ccmsetup.exe /mp:<source management point> CCMHOSTNAME=<internet-based management point> SMSSiteCode=<site code> SMSMP=<initial management point> AADTENANTID=<Azure AD tenant identifier> AADCLIENTAPPID=<Azure AD client app identifier> AADRESOURCEURI=<Azure AD server app identifier>

For more information, please refer to: Install and assign Configuration Manager Windows 10 clients using Azure AD for authentication

Thanks for your time.


Best regards,
Simon


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackster-5196 avatar image
0 Votes"
Jackster-5196 answered Jackster-5196 commented

Hi,

I'm using version 2002 and we have domain joined computers. None of our machines are Azure AD joined. Clients were initially setup during OSD, and they work fine with our HTTPS enabled MPs. The article you linked requires devices to be Azure joined, so I don't think this applies to my scenario.

Thanks for the reply.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Thanks for your detailed information.

1.If you don't publish a CRL, please remember to disable the following option: Clients check the certificate revocation list (CRL) for site systems.
2.For PKI scenario, the CMG has to trust the client authentication certificates to establish the HTTPS channel with clients. For more detailed steps about this, please refer to:
Configure client authentication for cloud management gateway

Thanks for your time.
 
Best regards,
Simon


0 Votes 0 ·

Hi Simon,

The CRL option is disabled and internally everything is working. Unless there's another place where it also needs to be unchecked, I'm not sure what else I'm missing. It's only when I use internet connected devices that I get that error "Failed to get 'signing' certificate for MP" in the LocationServices.log.

31948-siteprop.jpg


I also verified that the root certificate is indeed installed in the root store of the CMG VM, so I feel like it should be trusting my client certs.

Thanks,
Jack

1 Vote 1 ·
siteprop.jpg (70.7 KiB)
SimonRenMSFT-3639 avatar image
0 Votes"
SimonRenMSFT-3639 answered SimonRenMSFT-3639 edited

Hi,

Thanks for your reply.

Please also uncheck the option "Verify Client Certificate Revocation" on the settings tab of the CMG connection point properties. As shown below:

32253-cmg-connectiont-point.png

Thanks for your time.


Best regards,
Simon


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered

Have you tried running the connection analyzer using the Client auth cert? Also, where is your CMG connection point installed?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackster-5196 avatar image
0 Votes"
Jackster-5196 answered

Hi Rahul,

I tried, but my client auth certs don't export the private key, so I can't even start the connection analyzer with the cert. Is it wise to modify the template so I can export the key?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChrisA-1565 avatar image
0 Votes"
ChrisA-1565 answered Jackster-5196 commented

We are experiencing this same issue. The suggestions provided did not resolve it. How did you get this resolved?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We ended up opening a case with Microsoft and redid the certs with them. To be honest I'm not sure why it started working, as the certs were configured the same way I did it. But after setting it up, a few days later it just started working. Maybe something got synchronized somewhere.

0 Votes 0 ·
BerzakBryan-6905 avatar image
3 Votes"
BerzakBryan-6905 answered DanielBadstueKirk-2923 commented

We had the same symptoms as the original post after configuring our CMG. After working with MS it ended up being an enabled setting that didn't actually apply in the registry. We had the boxed checked for "Allow Configuration Manager cloud management gateway traffic" in the settings of our Management Point but for some reason it didn't update the registry and CMG traffic was still being blocked. We unchecked the box, hit apply, rechecked the box, hit apply again, at which point the registry updated correctly and our CMG started to work as expected. The specific key for us was HKLM\SOFTWARE\Microsoft\SMS\MP\EnableInternet and needs to equal DWORD of 1. We are running SCCM CB 1910.

64145-mp.png


64164-reg-mp.png



mp.png (24.7 KiB)
reg-mp.png (17.5 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Same behavior I witness in 2010 with all hotfixes installed :D .. thanks for sharing this.

0 Votes 0 ·

We had the same issue with 2010. Thanks!

0 Votes 0 ·

Wow, Thank you so much for this, I spend too many hours trying to figure out what was causing this behaviour.!

0 Votes 0 ·