One of my Customers asked me to help with a CMG deployment. The idea is to get Internet-based machines managed and patched.
They do not have Hybrid AAD joined environment yet, so I need to use old good PKI.
I decided to get it in my Lab first. I do have CA on my pfsense router to get it even more interesting (the certs do not CRL link).
I issued required certificates for my SCCM, CMG and Clients and flipped my Primary site to PKI. On all Certificate settings I checked “No CRL verification” box (sice I do not have one.
Internally everything worked fine, but when I flipped a Client to “Internet” subnet I found it can connect for a short period of time only. After that connection to MP via CMG is lost, client goes grey and I see:
[CCMHTTP] ERROR INFO: StatusCode=403 StatusText=CMGConnector_Clientcertificaterequired
in LocationServices.log on the Client.
It turned out to be a known issue (KB4503442) or better by design behaviour for a scenario when Azure AD tokens are not in use.
So, I added a Client cert with the name of my MP as Subject Name and in SAN. Restarted Cloud Connector on my SCCM.
Still no go.
Checked the SMS_Cloud_ProxyConnector.log and found:
Chain build failed cert: 77…………………………………………1
Chain 0 status: RevocationStatusUnknown
ok… So it looks like even though I unchecked Revocation List check in properties of CMG the connector is still trying to check it . In troubleshooting guide (https://support.microsoft.com/en-ae/help/4520150/troubleshooting-co-management-bootstrap-with-modern-provisioning) Microsoft says the best way is to publish CRL properly (sure, I know that). and do not provide information how to disable the check.
But if we take a look in the registry HKLM\SOFTWARE\Microsoft\SMS\SMS_CLOUD_PROXYCONNECTOR we can find a key: ClientCertSelectionNoCRLCheck set to 0 by default.
I switched it to 1 and restarted the connector.
After that the Internet Client successfully connected to the MP.
Note: I completely agree with the Vendor – the proper approach is to have your PKI properly configured and CRL published with public access; but in my case it is a Lab, so the workaround is acceptable.