IT Consultant Everyday Notes

Just some problems/solutions storage

Category Archives: CMG

SCCM: MP is not reachable via CMG (PKI scenario)

One of my Customers asked me to help with a CMG deployment. The idea is to get Internet-based machines managed and patched.

They do not have Hybrid AAD joined environment yet, so I need to use old good PKI.

I decided to get it in my Lab first. I do have CA on my pfsense router to get it even more interesting (the certs do not CRL link).

I issued required certificates for my SCCM, CMG and Clients and flipped my Primary site to PKI. On all Certificate settings I checked “No CRL verification” box (sice I do not have one.

Internally everything worked fine, but when I flipped a Client to “Internet” subnet I found it can connect for a short period of time only. After that connection to MP via CMG is lost, client goes grey and I see:

[CCMHTTP] ERROR INFO: StatusCode=403 StatusText=CMGConnector_Clientcertificaterequired

in LocationServices.log on the Client.

It turned out to be a known issue (KB4503442) or better by design behaviour for a scenario when Azure AD tokens are not in use.

So, I added a Client cert with the name of my MP as Subject Name and in SAN. Restarted Cloud Connector on my SCCM.

Still no go.

Checked the SMS_Cloud_ProxyConnector.log  and found:

Chain build failed cert: 77…………………………………………1

Chain 0 status: RevocationStatusUnknown

ok… So it looks like even though I unchecked Revocation List check in properties of CMG the connector is still trying to check it Smile. In troubleshooting guide (https://support.microsoft.com/en-ae/help/4520150/troubleshooting-co-management-bootstrap-with-modern-provisioning)  Microsoft says the best way is to publish CRL properly (sure, I know that). and do not provide information how to disable the check.

But if we take a look in the registry HKLM\SOFTWARE\Microsoft\SMS\SMS_CLOUD_PROXYCONNECTOR  we can find a key: ClientCertSelectionNoCRLCheck set to 0 by default.

I switched it to 1 and restarted the connector.

After that the Internet Client successfully connected to the MP.

Note: I completely agree with the Vendor – the proper approach is to have your PKI properly configured and CRL published with public access; but in my case it is a Lab, so the workaround is acceptable.


SCCM: CMG Provisioning Failed

Microsoft published an interesting Lab Set for Modern Desktop Management. Between projects I decided to install the kit and try Labs.

Here are some gotchas:

1. If Azure Account does not have an Azure Subscription in its own directory CMG installer cannot see the Subscription. Even if the account has rights to another subscription. I needed to create a new rial subscription linked to the same AAD to be able to proceed.

2. Even after that CMG provisioning failed. I checked the logs and found that Microsoft decided to not register Classic Compute (yes, CMG still uses Classic model). TO fix that I ran Powershell in Azure Portal and register requred provider:

register-azurermresourceprovider –providernamespace “Microsoft.ClassicCompute”

will see what additional surprises MS prepared…

SCCM: CMG Connector Analyzer fails

I installed Cloud MAnagement GAteway in my SCCM environment and ran CMG Connector Analyzer. It failed on the last test with

Failed to get ConfigMgr token with Azure AD token. Status code is ‘403’ and status description is ‘CMGConnector_Un-authorizedrequest’.
A possible reason for this failure is the CMG connection point failed to forward the message to the management point. The management point returned the following error: ‘Un-authorizedrequest’.

image

it turned out the account I used for the test has MFA and it looks like the Analyzer cannot handle that. So I signed in with a regular non-MFA account and this time the Connector passed successfully:

image