Clients not communicating with CMG

Jackster 6 Reputation points
2020-10-09T21:54:39.177+00:00

Hi,

I'm trying to setup a CMG and I'm using PKI certs. I've deployed the proper certificates to the CMG and can see that they are bound in the Azure VM. I'm not using a CRL, so I unchecked those options on the CMG installation wizard and my site properties. When I use the CMG connection analyzer, everything looks good.
31317-aztest.jpg

However, when I try to use a client pointing to that CMG, I see the following in my LocationServices.log file
31345-locservlog.jpg

What certificate is missing and how do I apply it?

Thanks!

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
35,997 questions
0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. BryanB 26 Reputation points
    2021-02-04T19:23:54.593+00:00

    We had the same symptoms as the original post after configuring our CMG. After working with MS it ended up being an enabled setting that didn't actually apply in the registry. We had the boxed checked for "Allow Configuration Manager cloud management gateway traffic" in the settings of our Management Point but for some reason it didn't update the registry and CMG traffic was still being blocked. We unchecked the box, hit apply, rechecked the box, hit apply again, at which point the registry updated correctly and our CMG started to work as expected. The specific key for us was HKLM\SOFTWARE\Microsoft\SMS\MP\EnableInternet and needs to equal DWORD of 1. We are running SCCM CB 1910.

    64145-mp.png

    64164-reg-mp.png

    4 people found this answer helpful.
  2. Simon Ren-MSFT 30,116 Reputation points Microsoft Vendor
    2020-10-12T03:09:00.413+00:00

    Hi,

    Thank you for coming Microsoft MECM Q&A forum.

    May we know which version of SCCM you are using and how did you setup the SCCM client? If possible, please try the following command to install the client:
    ccmsetup.exe /mp:<source management point> CCMHOSTNAME=<internet-based management point> SMSSiteCode=<site code> SMSMP=<initial management point> AADTENANTID=<Azure AD tenant identifier> AADCLIENTAPPID=<Azure AD client app identifier> AADRESOURCEURI=<Azure AD server app identifier>

    For more information, please refer to: Install and assign Configuration Manager Windows 10 clients using Azure AD for authentication

    Thanks for your time.

    Best regards,
    Simon

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. Jackster 6 Reputation points
    2020-10-12T03:19:49.333+00:00

    Hi,

    I'm using version 2002 and we have domain joined computers. None of our machines are Azure AD joined. Clients were initially setup during OSD, and they work fine with our HTTPS enabled MPs. The article you linked requires devices to be Azure joined, so I don't think this applies to my scenario.

    Thanks for the reply.

  4. Simon Ren-MSFT 30,116 Reputation points Microsoft Vendor
    2020-10-14T07:21:31.11+00:00

    Hi,

    Thanks for your reply.

    Please also uncheck the option "Verify Client Certificate Revocation" on the settings tab of the CMG connection point properties. As shown below:

    32253-cmg-connectiont-point.png

    Thanks for your time.

    Best regards,
    Simon

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  5. Rahul Jindal [MVP] 9,146 Reputation points MVP
    2020-10-17T22:54:26.247+00:00

    Have you tried running the connection analyzer using the Client auth cert? Also, where is your CMG connection point installed?

    0 comments