Cloud Management Gateway Errors - Invalid Cert and 400 errors

Question

CMG Errors:
Hi everyone,

Having trouble getting clients to talk to CMG. The CMG and Connection Point setup went smoothly apart from "The remote server returned an error: (400) Bad Request." on occasion & "The remote certificate is invalid according to the validation procedure" on occasion from CloudMgr.log and SMS_CLOUD_PROXYCONNECTOR.log respectively. The CMG/DP seems Ok as content can be distributed there and arrives successfully.

SCCM 2002 with Hotfix applied.

I am using a 3rd party wildcard cert (DigiCert) and adding the Domain Trusted Root cert when setting up CMG - there are no intermediary certs. I have RDP's to the CMG and confirmed the certs are there, I've also checked the SCCM MP and Win10 test client the certs are there too.

Win10 test device is 1803 and Hybrid AAD Joined. Co-Mgmt is enabled but no workloads shifted.

Site and MP have been configured to allow CMG, eHTTP etc. Client settings have been updated to allow CMG/Cloud. And CMG is acting as the Cloud DP too.

Does anyone have any suggestions of what I can check/try next? I am running out of ideas.

Full error messages:

CloudMgr.log (server name/site code removed)

STATMSG: ID=11401 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_SERVICE_CONNECTOR" SYS=<PrimarySiteServer> SITE=<SiteCode> PID=32236 TID=30632 GMTDATE=Thu Aug 20 00:36:59.815 2020 ISTR0="CMGatewayNotificationWorker" ISTR1="The remote server returned an error: (400) Bad Request." ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0

SMS_CLOUD_PROXYCONNECTOR.log:

ERROR: Web exception without response for message 6eccd89e-11b6-48ab-bdcd-b89b7f2378d4: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.~~ at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)~~ at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)~~ --- End of inner exception stack trace ---~~ at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionBase.InternalResponseCallBack(IAsyncResult asynchronousResult)

Answer 1

Hi,

Thanks for posting in Q&A.

Could we check the properties of the certifacates's value? Like the image below:

The default value of the CMG certificate's value will be .CloudApp.net form appears.

Here is a helpful article for you to refer to:
https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/certificates-for-cloud-management-gateway#bkmk_serverauthpublic

I hope this could help you. Thanks for your time.

Best regards,
Fiona Yan

Please remember to mark the replies as answers if they help.

Answer 2

Hi Fiona,
The properties of the cert are:

CNAME has been setup, XXXcmg.<internal domain> points to XXXcmg.cloudapp.net and ping confirms this is working

Answer 3

Hi Umonroe,

May we check the value of the issue to the XXXcmg.<internal domain> or XXXcmg.cloudapp.net? We may need to distribute this value to the XXXcmg.<internal domain> like the image i provide above:

Thanks for your time.

---

If the response is helpful, please click "Accept Answer" and upvote it.

Answer 4

I think the problem is internal domain is .local

Is there anyway around this?

Answer 5

Hi Umonroe,

Thanks for posting in Q&A.

I appreciate your understanding that we are not the best channel to address this issue since the forum is mainly focusing on break-fix issues.
To get better support, I suggest you call Professional Support Services so that a dedicate engineer will help you solve this issue in a more efficient way. Thank you for your understanding.

To obtain the phone numbers for specific technology request please take a look at the web site listed below.

https://support.microsoft.com/en-us/help/13948/global-customer-service-phone-numbers