Clients not communicating with CMG

Jackster 6 Reputation points
2020-10-09T21:54:39.177+00:00

Hi,

I'm trying to setup a CMG and I'm using PKI certs. I've deployed the proper certificates to the CMG and can see that they are bound in the Azure VM. I'm not using a CRL, so I unchecked those options on the CMG installation wizard and my site properties. When I use the CMG connection analyzer, everything looks good.
31317-aztest.jpg

However, when I try to use a client pointing to that CMG, I see the following in my LocationServices.log file
31345-locservlog.jpg

What certificate is missing and how do I apply it?

Thanks!

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
36,206 questions
0 comments

7 answers

Sort by: Oldest
Most helpful Newest Oldest
  1. Simon Ren-MSFT 30,501 Reputation points Microsoft Vendor
    2020-10-12T03:09:00.413+00:00

    Hi,

    Thank you for coming Microsoft MECM Q&A forum.

    May we know which version of SCCM you are using and how did you setup the SCCM client? If possible, please try the following command to install the client:
    ccmsetup.exe /mp:<source management point> CCMHOSTNAME=<internet-based management point> SMSSiteCode=<site code> SMSMP=<initial management point> AADTENANTID=<Azure AD tenant identifier> AADCLIENTAPPID=<Azure AD client app identifier> AADRESOURCEURI=<Azure AD server app identifier>

    For more information, please refer to: Install and assign Configuration Manager Windows 10 clients using Azure AD for authentication

    Thanks for your time.

    Best regards,
    Simon

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Jackster 6 Reputation points
    2020-10-12T03:19:49.333+00:00

    Hi,

    I'm using version 2002 and we have domain joined computers. None of our machines are Azure AD joined. Clients were initially setup during OSD, and they work fine with our HTTPS enabled MPs. The article you linked requires devices to be Azure joined, so I don't think this applies to my scenario.

    Thanks for the reply.

  3. Simon Ren-MSFT 30,501 Reputation points Microsoft Vendor
    2020-10-14T07:21:31.11+00:00

    Hi,

    Thanks for your reply.

    Please also uncheck the option "Verify Client Certificate Revocation" on the settings tab of the CMG connection point properties. As shown below:

    32253-cmg-connectiont-point.png

    Thanks for your time.

    Best regards,
    Simon

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  4. Rahul Jindal [MVP] 9,151 Reputation points MVP
    2020-10-17T22:54:26.247+00:00

    Have you tried running the connection analyzer using the Client auth cert? Also, where is your CMG connection point installed?

    0 comments
  5. Jackster 6 Reputation points
    2020-10-19T14:26:58.577+00:00

    Hi Rahul,

    I tried, but my client auth certs don't export the private key, so I can't even start the connection analyzer with the cert. Is it wise to modify the template so I can export the key?

    0 comments