CMG Certificate Clarification

Phil 96 Reputation points
2021-01-28T19:34:21.687+00:00

Hi,

We have just setup a (Azure / PAS hosted) CMG.
Our Config Manager site is configured to use Enterprise PKI (HTTPS only).

We have created the CMG as documented on the various step-by-step guides such as those below:

how-to-setup-cloud-management-gateway-cmg-in-microsoft-sccm-video-guide
setup-and-configure-sccm-cloud-management-gateway-1806

Whilst some (approx 60) of our internet connected clients are connecting to the CMG, the majority are failing with the error below shown in the ClientLocation / LocationServices logs:

61583-image.png

When running the CMG connection analyser we see the following:

61516-image.png

I have masked the MP name but can confirm it is using a cert from the same PKI CA as the CMG.
We only have the one internet enabled MP and of the clients which are connecting successfully they are all using PKI certs from different (but obviously trusted CA's) to that of the site systems.

The article below states that the CMG connection point requires a client authentication cert (which it has, at least by virtue of being on the same server as the MP and having a valid client auth cert in the computer personal store)
cmg-communication-error-403

Please could someone clarify / suggest possible causes of this issue?
Is there a way to verify which cert the CMG Connection point is using?
And why would it be that a number (approx 60) devices are connecting successfully via the CMG using cert authentication?

Thanks,
Phil

Microsoft Configuration Manager
{count} votes

2 answers

Sort by: Most helpful
  1. AllenLiu-MSFT 41,136 Reputation points Microsoft Vendor
    2021-01-29T08:32:36.473+00:00

    @Phil
    Thank you for posting in Microsoft Q&A forum.
    The CMG has to trust the client authentication certificates to establish the HTTPS channel with clients. To accomplish this trust, export the trusted root certificate chain. Then supply these certificates when you create the CMG in the Configuration Manager console.
    For the details:
    https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/configure-authentication#bkmk_clientroot


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Phil 96 Reputation points
    2021-02-03T10:39:43.963+00:00

    Update on this issue...

    Still need help!

    Having implemented the registry fix detailed in this article:
    403-error-cmgconnectorclientcertificaterequired-error-with-clound-management-gateway

    ...the connection analyser is now working for certificates without a publicly accessible CRL:
    (so it seems there is still a bug with the CMG settings which default to enable the CRL check even though not enabled via the settings in CM!)

    63493-image.png

    However, clients using these certs are still failing to connect with the error below:
    63428-image.png

    Can anyone offer any further insight in to this?
    It seems to me as though the CMG is still attempting to perform a CRL check!?

    Thanks,
    Phil

    0 comments No comments