Home

Cloud Management Gateway for Azure AD Hybrid Joined Windows 10 Workstations

%3CLINGO-SUB%20id%3D%22lingo-sub-800153%22%20slang%3D%22en-US%22%3ECloud%20Management%20Gateway%20for%20Azure%20AD%20Hybrid%20Joined%20Windows%2010%20Workstations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-800153%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EI%20have%20my%20CMG%20setup%20and%20a%20handful%20of%20Azure%20AD%20Hybrid%20Joined%20Windows%2010%20Workstations%20(1809%20and%201903)%20are%20getting%20a%20Client%20Setting%20to%20use%20the%20CMG.%20My%20servers%20and%20my%20clients%20are%201902%20and%20I%20have%20Enhanced%20HTTP%20enabled.%20I%20used%20a%20third%20party%20certificate%20from%20a%20public%20and%20globally%20trusted%20certificate%20provider%20for%20the%20CMG%20server%20authentication%20certificate.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EHowever%2C%20once%20my%20workstations%20try%20to%20use%20the%20CMG%2C%20things%20go%20downhill%20fast.%20Software%20Center%20loads%20with%20a%20blank%20window.%20After%20about%20five%20or%20ten%20minutes%2C%20it%20loads%20my%20customized%20settings%20but%20no%20content.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EI'm%20not%20great%20with%20ConfigMgr%20logs%20but%20ADALOperationProvider.log%20on%20the%20endpoint%20comes%20up%20with%20%22Getting%20AAD%20(device)%20token%22%20with%20the%20client%20ID%2C%20ResourceURL%2C%20and%20AccountID%20every%20so%20often%20but%20I%20don't%20see%20any%20errors.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3ELocationServices.log%20does%20a%20lot%20of%20this%3A%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EIgnoring%20MP%20error%20during%20post-rotation%20flush%20period%20of%2020%20seconds.%20LocationServices%208%2F9%2F2019%2010%3A44%3A28%20AM%209416%20(0x24C8)%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E0%20internet%20MP%20errors%20in%20the%20last%2010%20minutes%2C%20threshold%20is%205.%20LocationServices%208%2F9%2F2019%2010%3A44%3A28%20AM%209416%20(0x24C8)%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E1%20internet%20MP%20errors%20in%20the%20last%2010%20minutes%2C%20threshold%20is%205.%20LocationServices%208%2F9%2F2019%2011%3A00%3A28%20AM%204744%20(0x1288)%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E2%20internet%20MP%20errors%20in%20the%20last%2010%20minutes%2C%20threshold%20is%205.%20LocationServices%208%2F9%2F2019%2011%3A00%3A28%20AM%20212%20(0x00D4)%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E3%20internet%20MP%20errors%20in%20the%20last%2010%20minutes%2C%20threshold%20is%205.%20LocationServices%208%2F9%2F2019%2011%3A00%3A28%20AM%20212%20(0x00D4)%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E4%20internet%20MP%20errors%20in%20the%20last%2010%20minutes%2C%20threshold%20is%205.%20LocationServices%208%2F9%2F2019%2011%3A00%3A29%20AM%20212%20(0x00D4)%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EInternet%20MP%20error%20threshold%20reached%2C%20moving%20to%20next%20MP.%20LocationServices%208%2F9%2F2019%2011%3A00%3A29%20AM%204280%20(0x10B8)%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EIgnoring%20MP%20error%20during%20post-rotation%20flush%20period%20of%2020%20seconds.%20LocationServices%208%2F9%2F2019%2011%3A00%3A29%20AM%20212%20(0x00D4)%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E0%20internet%20MP%20errors%20in%20the%20last%2010%20minutes%2C%20threshold%20is%205.%20LocationServices%208%2F9%2F2019%2011%3A00%3A29%20AM%20212%20(0x00D4)%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3Ebut%20if%20I%20scroll%20up%20enough%20in%20the%20log%20I%20do%20find%20an%20error%20%22Failed%20to%20get%20client%20certificate%20for%20transportation.%20Error%200x87d00281%22%20from%20around%20when%20I%20powered%20on%20the%20workstation.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EIf%20I%20use%20the%20Cloud%20management%20Gateway%20connection%20analyzer%20with%20an%20Azure%20AD%20user%20sign%20in%2C%20it%20fails%20on%20the%20%22Testing%20the%20CMG%20channel%20for%20management%20point%3A%20'thenameoftheMP'%22%20step%20with%20the%20following%20error%3A%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EFailed%20to%20get%20ConfigMgr%20token%20with%20Azure%20AD%20token.%20Status%20code%20is%20'401'%20and%20status%20description%20is%20'CMGConnector_Unauthorized'.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EA%20possible%20reason%20for%20this%20failure%20is%20the%20CMG%20connection%20point%20failed%20to%20forward%20the%20message%20to%20the%20management%20point.%20The%20management%20point%20returned%20the%20following%20error%3A%20'Unauthorized'.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EIf%20I%20use%20a%20Client%20certificate%20instead%2C%20the%20PFX%20I%20used%20to%20create%20the%20CMG%2C%20it%20has%20a%20failure%20on%20two%20steps.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%22Check%20configuration%20settings%20of%20the%20CMG%20service%20is%20up%20to%20date%22%20has%20an%20error%20of%20%22Configuration%20version%20of%20the%20CMG%20service%20should%20be%202.%20Failed%20to%20get%20CMG%20service%20metadata.%20For%20more%20information%2C%20see%20SmsAdminUI.log.%22%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EThe%20step%20%22Testing%20the%20CMG%20channel%20for%20management%20point%3A%20'thenameoftheMP'%22%20gives%20me%20a%20new%20error%2C%20%22Failed%20to%20refresh%20MP%20location.%20Selected%20client%20certificate%20is%20not%20trusted%20by%20the%20CMG%20service.%20Check%20if%20certificate%20chain%20for%20the%20client%20certificate%20is%20specified%20to%20upload%20to%20the%20CMG%20service%20and%20check%20revocation%20check%20setting.%22%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EMy%20Azure%20AD%20User%20discovery%20is%20happily%20chugging%20along%20and%20my%20Windows%2010%20workstations%20in%20question%20are%20successfully%20Azure%20AD%20Hybrid%20Joined.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EAny%20ideas%20on%20where%20I%20messed%20up%3F%20I%20followed%20the%20instructions%20at%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsccm%2Fcore%2Fclients%2Fmanage%2Fcmg%2Fsetup-cloud-management-gateway%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsccm%2Fcore%2Fclients%2Fmanage%2Fcmg%2Fsetup-cloud-management-gateway%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewhich%20were%20pretty%20good%20and%20easy%20to%20follow.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EDoes%20my%20CMG%20connection%20point%20need%20to%20be%20Azure%20AD%20Hybrid%20Joined%20in%20order%20to%20use%20Azure%20AD%20for%20client%20authentication%3F%26nbsp%3B%26nbsp%3BMy%20CMG%20connection%20point%20is%20installed%20on%20a%202012%20R2%20non-Azure%20AD%20Hybrid%20Joined%20server%20slated%20for%20upgrade%20to%202019%20later%20this%20year.%20My%20MP%20and%20SUP%20are%20on%20the%20same%20server.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-800153%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ecloud%20management%20gateway%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Kirk Francis
Contributor

I have my CMG setup and a handful of Azure AD Hybrid Joined Windows 10 Workstations (1809 and 1903) are getting a Client Setting to use the CMG. My servers and my clients are 1902 and I have Enhanced HTTP enabled. I used a third party certificate from a public and globally trusted certificate provider for the CMG server authentication certificate.

 

However, once my workstations try to use the CMG, things go downhill fast. Software Center loads with a blank window. After about five or ten minutes, it loads my customized settings but no content.

 

I'm not great with ConfigMgr logs but ADALOperationProvider.log on the endpoint comes up with "Getting AAD (device) token" with the client ID, ResourceURL, and AccountID every so often but I don't see any errors.

 

LocationServices.log does a lot of this:

 

Ignoring MP error during post-rotation flush period of 20 seconds. LocationServices 8/9/2019 10:44:28 AM 9416 (0x24C8)

0 internet MP errors in the last 10 minutes, threshold is 5. LocationServices 8/9/2019 10:44:28 AM 9416 (0x24C8)

1 internet MP errors in the last 10 minutes, threshold is 5. LocationServices 8/9/2019 11:00:28 AM 4744 (0x1288)

2 internet MP errors in the last 10 minutes, threshold is 5. LocationServices 8/9/2019 11:00:28 AM 212 (0x00D4)

3 internet MP errors in the last 10 minutes, threshold is 5. LocationServices 8/9/2019 11:00:28 AM 212 (0x00D4)

4 internet MP errors in the last 10 minutes, threshold is 5. LocationServices 8/9/2019 11:00:29 AM 212 (0x00D4)

Internet MP error threshold reached, moving to next MP. LocationServices 8/9/2019 11:00:29 AM 4280 (0x10B8)

Ignoring MP error during post-rotation flush period of 20 seconds. LocationServices 8/9/2019 11:00:29 AM 212 (0x00D4)

0 internet MP errors in the last 10 minutes, threshold is 5. LocationServices 8/9/2019 11:00:29 AM 212 (0x00D4)

 

but if I scroll up enough in the log I do find an error "Failed to get client certificate for transportation. Error 0x87d00281" from around when I powered on the workstation.

 

If I use the Cloud management Gateway connection analyzer with an Azure AD user sign in, it fails on the "Testing the CMG channel for management point: 'thenameoftheMP'" step with the following error:

 

Failed to get ConfigMgr token with Azure AD token. Status code is '401' and status description is 'CMGConnector_Unauthorized'.

 

A possible reason for this failure is the CMG connection point failed to forward the message to the management point. The management point returned the following error: 'Unauthorized'.

 

If I use a Client certificate instead, the PFX I used to create the CMG, it has a failure on two steps.

 

"Check configuration settings of the CMG service is up to date" has an error of "Configuration version of the CMG service should be 2. Failed to get CMG service metadata. For more information, see SmsAdminUI.log."

 

The step "Testing the CMG channel for management point: 'thenameoftheMP'" gives me a new error, "Failed to refresh MP location. Selected client certificate is not trusted by the CMG service. Check if certificate chain for the client certificate is specified to upload to the CMG service and check revocation check setting."

 

My Azure AD User discovery is happily chugging along and my Windows 10 workstations in question are successfully Azure AD Hybrid Joined.

 

Any ideas on where I messed up? I followed the instructions at https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/setup-cloud-management-gateway which were pretty good and easy to follow.

 

Does my CMG connection point need to be Azure AD Hybrid Joined in order to use Azure AD for client authentication?  My CMG connection point is installed on a 2012 R2 non-Azure AD Hybrid Joined server slated for upgrade to 2019 later this year. My MP and SUP are on the same server.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
22 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
cntvertex in Discussions on
13 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies