SCCM_CMG - Client Authentication not working from PKI Cert

Anmol Singh 1 Reputation point
2021-02-11T14:52:39.347+00:00

**

Configurations:

**
SCCM CB v1910
Standalone Primary Site
One CMG Setup configuration completed and connection analyzer show everything OK.
On the Communication settings of the Primary Site, HTTP or HTTPS mode is selected as shown below.
Trusted Root Certification Authorities : The domain Root Cert is expired and it cannot be renewed so we have used Third Party PKI Root Cert which is present on the cert store of the test machines under the folder Trusted Root Certification Authorities. There is no intermediate cert for this Root Cert.

PS Communication Settings
67022-primary-site-communication-settings.png

**

Issue description:

**
While testing the HTTPSReadiness on our test machines, the HTTPSReadiness.log shows this:

CMHttpsReadiness.log

66950-cmhttpsreadinesslog.png

It seems that the provided Third Party PKI Trusted Root Cert is parsed but it is not identified or picked by SCCM algorithm.
Similar log is written in ClientIDStartupManager.log.

Does anyone know why this cert is not picked by SCCM for authenticating client for HTTPS Readiness ?

Operations Manager
Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,505 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AlexZhu-MSFT 5,956 Reputation points Microsoft Vendor
    2021-02-12T01:44:27.193+00:00

    Hi,

    Thank you for the detailed description and the screenshots. For the CMG certificate, we may have something to check, for example, the purpose should contains server authentication, the service name, the deployment name, etc.

    For the requirement, we may read through this article.
    https://learn.microsoft.com/en-in/mem/configmgr/core/clients/manage/cmg/server-auth-cert

    Here's also a nice video from former Sr PFE at Microsoft and we can follow this to check every single step to check if we miss anything.

    https://setupconfigmgr.com/how-to-setup-cloud-management-gateway-cmg-in-microsoft-sccm
    Note: this is just for your reference.

    Hope the above information helps.

    Alex
    If the response is helpful, please click "Accept Answer" and upvote it.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.