Cloud Management Gateway Errors - Invalid Cert and 400 errors

Ewan Monro 1 Reputation point
2020-08-20T02:37:49.28+00:00

CMG Errors:
Hi everyone,

Having trouble getting clients to talk to CMG. The CMG and Connection Point setup went smoothly apart from "The remote server returned an error: (400) Bad Request." on occasion & "The remote certificate is invalid according to the validation procedure" on occasion from CloudMgr.log and SMS_CLOUD_PROXYCONNECTOR.log respectively. The CMG/DP seems Ok as content can be distributed there and arrives successfully.

SCCM 2002 with Hotfix applied.

I am using a 3rd party wildcard cert (DigiCert) and adding the Domain Trusted Root cert when setting up CMG - there are no intermediary certs. I have RDP's to the CMG and confirmed the certs are there, I've also checked the SCCM MP and Win10 test client the certs are there too.

Win10 test device is 1803 and Hybrid AAD Joined. Co-Mgmt is enabled but no workloads shifted.

Site and MP have been configured to allow CMG, eHTTP etc. Client settings have been updated to allow CMG/Cloud. And CMG is acting as the Cloud DP too.

Does anyone have any suggestions of what I can check/try next? I am running out of ideas.

Full error messages:

CloudMgr.log (server name/site code removed)

STATMSG: ID=11401 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_SERVICE_CONNECTOR" SYS=<PrimarySiteServer> SITE=<SiteCode> PID=32236 TID=30632 GMTDATE=Thu Aug 20 00:36:59.815 2020 ISTR0="CMGatewayNotificationWorker" ISTR1="The remote server returned an error: (400) Bad Request." ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0

SMS_CLOUD_PROXYCONNECTOR.log:

ERROR: Web exception without response for message 6eccd89e-11b6-48ab-bdcd-b89b7f2378d4: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.~~ at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)~~ at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)~~ --- End of inner exception stack trace ---~~ at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionBase.InternalResponseCallBack(IAsyncResult asynchronousResult)

Microsoft Configuration Manager
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Fiona Yan-MSFT 2,311 Reputation points
    2020-08-20T10:36:47.227+00:00

    Hi,

    Thanks for posting in Q&A.

    Could we check the properties of the certifacates's value? Like the image below:
    19143-cmg-certificate.png

    The default value of the CMG certificate's value will be .CloudApp.net form appears.
    19144-third-party.png

    Here is a helpful article for you to refer to:
    https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/certificates-for-cloud-management-gateway#bkmk_serverauthpublic

    I hope this could help you. Thanks for your time.

    Best regards,
    Fiona Yan

    Please remember to mark the replies as answers if they help.

    0 comments No comments

  2. Ewan Monro 1 Reputation point
    2020-08-24T01:00:48.56+00:00

    Hi Fiona,
    The properties of the cert are:
    19734-wildcard-props.png

    CNAME has been setup, XXXcmg.<internal domain> points to XXXcmg.cloudapp.net and ping confirms this is working

    0 comments No comments

  3. Fiona Yan-MSFT 2,311 Reputation points
    2020-08-24T02:56:20.877+00:00

    Hi Umonroe,

    May we check the value of the issue to the XXXcmg.<internal domain> or XXXcmg.cloudapp.net? We may need to distribute this value to the XXXcmg.<internal domain> like the image i provide above:
    19725-cmg-certificate.png

    Thanks for your time.


    If the response is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  4. Ewan Monro 1 Reputation point
    2020-08-25T00:52:35.72+00:00

    19992-image.png

    I think the problem is internal domain is .local

    Is there anyway around this?

    0 comments No comments

  5. Fiona Yan-MSFT 2,311 Reputation points
    2020-08-25T08:48:19.043+00:00

    Hi Umonroe,

    Thanks for posting in Q&A.

    I appreciate your understanding that we are not the best channel to address this issue since the forum is mainly focusing on break-fix issues.
    To get better support, I suggest you call Professional Support Services so that a dedicate engineer will help you solve this issue in a more efficient way. Thank you for your understanding.

    To obtain the phone numbers for specific technology request please take a look at the web site listed below.

    https://support.microsoft.com/en-us/help/13948/global-customer-service-phone-numbers

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.