Configure client authentication for cloud management gateway
Applies to: Configuration Manager (current branch)
The next step in the setup of a cloud management gateway (CMG) is to configure how clients authenticate. Because these clients are potentially connecting to the service from the untrusted public internet, they have a higher authentication requirement. There are three options:
- Microsoft Entra ID
- PKI certificates
- Configuration Manager site-issued tokens
This article describes how to configure each of these options. For more foundational information, see Plan for CMG client authentication methods.
Microsoft Entra ID
If your internet-based devices are running Windows 10 or later, use Microsoft Entra modern authentication with the CMG. This authentication method is the only one that enables user-centric scenarios.
This authentication method requires the following configurations:
The devices need to be either cloud domain-joined or Microsoft Entra hybrid joined, and the user also needs a Microsoft Entra identity.
Tip
To check if a device is cloud-joined, run
dsregcmd.exe /status
in a command prompt. If the device is Microsoft Entra joined or hybrid-joined, the AzureAdjoined field in the results shows YES. For more information, see dsregcmd command - device state.One of the primary requirements for using Microsoft Entra authentication for internet-based clients with a CMG is to integrate the site with Microsoft Entra ID. You already completed that action in the prior step.
There are a few other requirements, depending upon your environment:
- Enable user discovery methods for hybrid identities
- Enable ASP.NET 4.5 on the management point
- Configure client settings
For more information on these prerequisites, see Install clients using Microsoft Entra ID.
PKI certificate
Use these steps if you have a public key infrastructure (PKI) that can issue client authentication certificates to devices.
This certificate may be required on the CMG connection point. For more information, see CMG connection point.
Issue the certificate
Create and issue this certificate from your PKI, which is outside of the context of Configuration Manager. For example, you can use Active Directory Certificate Services and group policy to automatically issue client authentication certificates to domain-joined devices. For more information, see Example deployment of PKI certificates: Deploy the client certificate.
The CMG client authentication certificate supports the following configurations:
2048-bit or 4096-bit key length
This certificate supports key storage providers for certificate private keys (v3). For more information, see CNG v3 certificates overview.
Export the client certificate's trusted root
The CMG has to trust the client authentication certificates to establish the HTTPS channel with clients. To accomplish this trust, export the trusted root certificate chain. Then supply these certificates when you create the CMG in the Configuration Manager console.
Make sure to export all certificates in the trust chain. For example, if the client authentication certificate is issued by an intermediate CA, export both the intermediate and root CA certificates.
Note
Export this certificate when any client uses PKI certificates for authentication. When all clients use either Microsoft Entra ID or tokens for authentication, this certificate isn't required.
After you issue a client authentication certificate to a computer, use this process on that computer to export the trusted root certificate.
Open the Start menu. Type "run" to open the Run window. Open
mmc
.From the File menu, choose Add/Remove Snap-in....
In the Add or Remove Snap-ins dialog box, select Certificates, then select Add.
In the Certificates snap-in dialog box, select Computer account, then select Next.
In the Select Computer dialog box, select Local computer, then select Finish.
In the Add or Remove Snap-ins dialog box, select OK.
Expand Certificates, expand Personal, and select Certificates.
Select a certificate whose Intended Purpose is Client Authentication.
From the Action menu, select Open.
Go to the Certification Path tab.
Select the next certificate up the chain, and select View Certificate.
On this new Certificate dialog box, go to the Details tab. Select Copy to File....
Complete the Certificate Export Wizard using the default certificate format, DER encoded binary X.509 (.CER). Make note of the name and location of the exported certificate.
Export all of the certificates in the certification path of the original client authentication certificate. Make note of which exported certificates are intermediate CAs, and which ones are trusted root CAs.
CMG connection point
To securely forward client requests, the CMG connection point requires a secure connection with the management point. If you're using PKI client authentication, and the internet-enabled management point is HTTPS, issue a client authentication certificate to the site system server with the CMG connection point role.
Note
The CMG connection point doesn't require a client authentication certificate in the following scenarios:
- Clients use Microsoft Entra authentication.
- Clients use Configuration Manager token-based authentication.
- The site uses Enhanced HTTP.
For more information, see Enable management point for HTTPS.
Site token
If you can't join devices to Microsoft Entra ID or use PKI client authentication certificates, then use Configuration Manager token-based authentication. For more information, or to create a bulk registration token, see Token-based authentication for cloud management gateway.
Enable management point for HTTPS
Depending upon how you configure the site, and which client authentication method you choose, you may need to reconfigure your internet-enabled management points. There are two options:
- Configure the site for Enhanced HTTP, and configure the management point for HTTP
- Configure the management point for HTTPS
Configure the site for Enhanced HTTP
When you use the site option to Use Configuration Manager-generated certificates for HTTP site systems, you can configure the management point for HTTP. When you enable Enhanced HTTP, the site server generates a self-signed certificate named SMS Role SSL Certificate. This certificate is issued by the root SMS Issuing certificate. The management point adds this certificate to the IIS Default Web site bound to port 443.
With this option, internal clients can continue to communicate with the management point using HTTP. Internet-based clients using Microsoft Entra ID or a client authentication certificate can securely communicate through the CMG with this management point over HTTPS.
For more information, see Enhanced HTTP.
Configure the management point for HTTPS
To configure a management point for HTTPS, first issue it a web server certificate. Then enable the role for HTTPS.
Create and issue a web server certificate from your PKI or a third-party provider, which are outside of the context of Configuration Manager. For example, use Active Directory Certificate Services and group policy to issue a web server certificate to the site system server with the management point role. For more information, see the following articles:
On the properties of the management point role, set the client connections to HTTPS.
Tip
After you set up the CMG, you'll configure other settings for this management point.
If your environment has multiple management points, you don't have to HTTPS-enable them all for CMG. Configure the CMG-enabled management points as Internet only. Then your on-premises clients don't try to use them.
Management point client connection mode summary
These tables summarize whether the management point requires HTTP or HTTPS, depending upon the type of client. They use the following terms:
- Workgroup: The device isn't joined to a domain or Microsoft Entra ID, but has a client authentication certificate.
- AD domain-joined: You join the device to an on-premises Active Directory domain.
- Microsoft Entra joined: Also known as cloud domain-joined, you join the device to a Microsoft Entra tenant. For more information, see Microsoft Entra joined devices.
- Hybrid-joined: You join the device to your on-premises Active Directory and register it with your Microsoft Entra ID. For more information, see Microsoft Entra hybrid joined devices.
- HTTP: On the management point properties, you set the client connections to HTTP.
- HTTPS: On the management point properties, you set the client connections to HTTPS.
- E-HTTP: On the site properties, Communication Security tab, you set the site system settings to HTTPS or HTTP, and you enable the option to Use Configuration Manager-generated certificates for HTTP site systems. You configure the management point for HTTP, and the HTTP management point is ready for both HTTP and HTTPS communication.
Important
Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Configure the site for HTTPS or Enhanced HTTP. For more information, see Enable the site for HTTPS-only or enhanced HTTP.
For internet-based clients communicating with the CMG
Configure an on-premises management point to allow connections from the CMG with the following client connection mode:
Internet-based client | Management point |
---|---|
Workgroup Note 1 | E-HTTP, HTTPS |
AD domain-joined Note 1 | E-HTTP, HTTPS |
Microsoft Entra joined | E-HTTP, HTTPS |
Hybrid-joined | E-HTTP, HTTPS |
Note
Note 1: This configuration requires the client has a client authentication certificate, and only supports device-centric scenarios.
For on-premises clients communicating with the on-premises management point
Configure an on-premises management point with the following client connection mode:
On-premises client | Management point |
---|---|
Workgroup | HTTP, HTTPS |
AD domain-joined | HTTP, HTTPS |
Microsoft Entra joined | HTTPS |
Hybrid-joined | HTTP, HTTPS |
Note
On-premises AD domain-joined clients support both device- and user-centric scenarios communicating with an HTTP or HTTPS management point.
On-premises Microsoft Entra joined and hybrid-joined clients can communicate via HTTP for device-centric scenarios, but need E-HTTP or HTTPS to enable user-centric scenarios. Otherwise they behave the same as workgroup clients.
Next steps
You're now ready to create the CMG in Configuration Manager: