CMG Error in 2006

%3CLINGO-SUB%20id%3D%22lingo-sub-1753908%22%20slang%3D%22en-US%22%3ECMG%20Error%20in%202006%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1753908%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EI%20am%20experiencing%20a%20lot%20of%20error%20in%20the%20ProxyService_IN_0-CMGService.log%20file%20on%20my%20production%20machine.%20The%20errors%20are%20shown%20below.%20We%20are%20not%20using%20PKI%2C%20we%20use%20a%20public%20wildcard%20cert%20for%20server%20authentication.%20I%20have%20virtually%20an%20exact%20duplicate%20setup%20with%20a%20public%20cert%20and%20no%20errors%20are%20being%20reported%20in%20the%20log%20files.%20When%20ever%20I%20run%20the%20CMG%20Analyzer%20I%20get%20error%20at%20%22Check%20Config%20setting%20are%20up%20to%20date%22%20or%20%22Testing%20the%20CMG%20Channel%22%20They%20will%20never%20pass.%20In%20my%20test%20environment%20they%20will%20pass%20within%20about%2010%20seconds%20of%20starting.%20Could%20this%20error%20be%20coming%20from%20the%20CMG%20server%20itself.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EERROR%3A%20Security%20token%20validation%20exception%20with%20requesting%20URL%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fxxx.xxx.xxxx%2FCCM_Proxy_ServerAuth%2F72057594037927940%2FCCM_STS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20ugc%20noreferrer%22%3Ehttps%3A%2F%2Fxxx.xxx.xxxx%2FCCM_Proxy_ServerAuth%2F72057594037927940%2FCCM_STS%3C%2FA%3E.%20System.IdentityModel.Tokens.SecurityTokenValidationException%3A%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3ESystem.Security.Cryptography.CryptographicException%3A%20CryptVerifySignature%20failed%20with%20HRESULT%200x80090006~~%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3Eat%20Microsoft.ConfigurationManager.CommonBase.SignatureUtilities.ValidateSignature(Byte%5B%5D%20token%2C%20Byte%5B%5D%20signature%2C%20Byte%5B%5D%20publicKey)~~%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3Eat%20Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenValidator.ValidateCcmAuthHeader(String%20authHeader%2C%20String%20publicKey)%20---%26gt%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3ESystem.Security.Cryptography.CryptographicException%3A%20CryptVerifySignature%20failed%20with%20HRESULT%200x80090006~~%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3Eat%20Microsoft.ConfigurationManager.CommonBase.SignatureUtilities.ValidateSignature(Byte%5B%5D%20token%2C%20Byte%5B%5D%20signature%2C%20Byte%5B%5D%20publicKey)~~%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3Eat%20Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenValidator.ValidateCcmAuthHeader(String%20authHeader%2C%20String%20publicKey)~~%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E---%20End%20of%20inner%20exception%20stack%20trace%20---~~%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3Eat%20Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenValidator.ValidateCcmAuthHeader(String%20authHeader%2C%20String%20publicKey)~~%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3Eat%20Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenValidator.ValidateTokenEx(String%20token%2C%20String%20tokenHint)~~%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3Eat%20Microsoft.ConfigurationManager.BgbServerChannel.BgbServerReverseProxy.ValidateAuthorizationToken(String%20authorizationToken%2C%20EndpointClientAuthScheme%20clientAuthScheme%2C%20Uri%20requestUri%2C%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EIToken%26amp%3B%20validatedToken%2C%20EndpointClientAuthScheme%26amp%3B%20validatedScheme)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1753908%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECM%20current%20branch%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1771593%22%20slang%3D%22en-US%22%3ERe%3A%20CMG%20Error%20in%202006%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1771593%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F214135%22%20target%3D%22_blank%22%3E%40Ronald%20Lawrimore%3C%2FA%3E%26nbsp%3BAre%20you%20sure%20the%20CMG%20(wildcard)%20certificate%20is%20trusted%20by%20the%20CMG%20connection%20point(s)%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1771598%22%20slang%3D%22en-US%22%3ERe%3A%20CMG%20Error%20in%202006%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1771598%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F241578%22%20target%3D%22_blank%22%3E%40Michiel%20Overweel%3C%2FA%3E%26nbsp%3BI%20far%20as%20I%20can%20tell%20yes.%20What%20would%20be%20the%20best%20way%20to%20make%20absolutely%20sure.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1771607%22%20slang%3D%22en-US%22%3ERe%3A%20CMG%20Error%20in%202006%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1771607%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F214135%22%20target%3D%22_blank%22%3E%40Ronald%20Lawrimore%3C%2FA%3E%26nbsp%3BYou%20can%20try%20opening%20a%20browser%20on%20a%20CMG%20connection%20point%20and%20then%20entering%20the%20CMG%20URL%20(i.e.%20%3CA%20href%3D%22https%3A%2F%2Fmycmg.mydomain.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmycmg.mydomain.com%3C%2FA%3E).%20From%20there%2C%20you%20should%20be%20able%20to%20check%20the%20CMG%20certificate%20certification%20path.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1771751%22%20slang%3D%22en-US%22%3ERe%3A%20CMG%20Error%20in%202006%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1771751%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F241578%22%20target%3D%22_blank%22%3E%40Michiel%20Overweel%3C%2FA%3E%26nbsp%3BBoth%20site%20servers%20show%20the%20connection%20as%20secure.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I am experiencing a lot of error in the ProxyService_IN_0-CMGService.log file on my production machine. The errors are shown below. We are not using PKI, we use a public wildcard cert for server authentication. I have virtually an exact duplicate setup with a public cert and no errors are being reported in the log files. When ever I run the CMG Analyzer I get error at "Check Config setting are up to date" or "Testing the CMG Channel" They will never pass. In my test environment they will pass within about 10 seconds of starting. Could this error be coming from the CMG server itself.

ERROR: Security token validation exception with requesting URL https://xxx.xxx.xxxx/CCM_Proxy_ServerAuth/72057594037927940/CCM_STS. System.IdentityModel.Tokens.SecurityTokenValidationException:

System.Security.Cryptography.CryptographicException: CryptVerifySignature failed with HRESULT 0x80090006~~

at Microsoft.ConfigurationManager.CommonBase.SignatureUtilities.ValidateSignature(Byte[] token, Byte[] signature, Byte[] publicKey)~~

at Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenValidator.ValidateCcmAuthHeader(String authHeader, String publicKey) --->

System.Security.Cryptography.CryptographicException: CryptVerifySignature failed with HRESULT 0x80090006~~

at Microsoft.ConfigurationManager.CommonBase.SignatureUtilities.ValidateSignature(Byte[] token, Byte[] signature, Byte[] publicKey)~~

at Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenValidator.ValidateCcmAuthHeader(String authHeader, String publicKey)~~

--- End of inner exception stack trace ---~~

at Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenValidator.ValidateCcmAuthHeader(String authHeader, String publicKey)~~

at Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenValidator.ValidateTokenEx(String token, String tokenHint)~~

at Microsoft.ConfigurationManager.BgbServerChannel.BgbServerReverseProxy.ValidateAuthorizationToken(String authorizationToken, EndpointClientAuthScheme clientAuthScheme, Uri requestUri,

IToken& validatedToken, EndpointClientAuthScheme& validatedScheme)

9 Replies

@Ronald Lawrimore Are you sure the CMG (wildcard) certificate is trusted by the CMG connection point(s)?

@Michiel Overweel I far as I can tell yes. What would be the best way to make absolutely sure.

@Ronald Lawrimore You can try opening a browser on a CMG connection point and then entering the CMG URL (i.e. https://mycmg.mydomain.com). From there, you should be able to check the CMG certificate certification path.

@Michiel Overweel Both site servers show the connection as secure.

@Ronald Lawrimore 

Did you ever figure this out? I am facing a the same thing currently. My certificates are trusted and everything seems to be working except that I cannot download anything from the CMG.

No @ThomasJensen I have not corrected the issue yet. Were you able to correct it on your end?

@Ronald Lawrimore  I had this same issue where I was not able to download anything from over CMG.  The issue was the DP on my site server thought is was set as an Internet-Based DP which was conflicting with the CMG DP.

 

In the SCCM console go here:

Administration > Distribution Points > add the Internet-Based column if needed > there should be only one.

 

 

 

@McBob0324 I just checked and I only have on DP as Internet based.

@Ronald Lawrimore Another place to check is the properties of your primary site server.  Communication Security tab.  "Use PKI Client certificate (client authentication capability) when available" must be check.  I believe this is a bug in 2006 per the MS Engineer I worked with.