SOLVED

CMG - Missing role certificate. Reload in next cycle

Copper Contributor

Hi all.

 

We're having issues setting up CMG. We have an environment with a SCCM v2010 running ok in HTTPS mode, with DB aside in another server.

This is the 3rd CMG, so it's something we already deal with, but this time it's giving us a headache.

 

We have no error or warnings in any logs (CloudMgr, SMS_CLOUD_PROXYCONNECTOR, SMS_CLOUDCONNECTION), but we have this entry in the SMS_CLOUD_PROXYCONNECTOR.log: "Missing role certificate. Reload in next cycle".

 

We checked the Certificates\SMS container and there's no "Cloud Proxy Connector" certificate. But in the CertMgr.log we have this entry "(Cloud proxy connector) certificate already exists on machine (xxxxxxxxxx.xxx.xx)".

I found in the registry a certificate "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SMS_CLOUD_PROXYCONNECTOR\CloudProxyServiceCert" but it seems to be not enough.

 

We searched the web for answers and tried:

  • Reinstall de MP
  • Clean al CMG configs (App registrations in Azure, cmg connection point, CMG, azure services, etc..) and start over
  • Clean the registry key and tried the step above again

 

And no luck... at this point it seem to be a bug or something.. any thoughts?.

 

Thanks!.

1 Reply
best response confirmed by JPMuniz (Copper Contributor)
Solution
Finally get through it with Premier Support. The issue was the cloud proxy connector certificate wasn't got issued because of a conflict with the SMS token signing thumbprint. SCCM was trying to create the cloud proxy connector certificate using the same thumbprint already in use, so it detected as existing.

What we did was:
1. Remove the CMG connection point role
2. Stop SMS Executive service
3. Clean up some cert data from the DB:
Update CM_RoleIdCertificates Set SerializedCertificate = NULL where RoleTypeID = 27
Update CM_RoleIdCertificates Set EncodedCertificate = NULL where RoleTypeID = 27
Update CM_RoleIdCertificates Set Thumbprint = NULL where RoleTypeID = 27
Update CM_RoleIdCertificates Set ExpirationDate = NULL where RoleTypeID = 27
Delete from CertificateData where CertType = 5
Delete From Proxy_RoleCertificates where Thumbprint = '<SMS Token Signing Thumbprint>'
4. Delete the SMS Token Signing certificate from the personal and SMS stores.
5. Start the SMS Executive service.
6. Install the CMG connection point role.

It looks like a product bug.
1 best response

Accepted Solutions
best response confirmed by JPMuniz (Copper Contributor)
Solution
Finally get through it with Premier Support. The issue was the cloud proxy connector certificate wasn't got issued because of a conflict with the SMS token signing thumbprint. SCCM was trying to create the cloud proxy connector certificate using the same thumbprint already in use, so it detected as existing.

What we did was:
1. Remove the CMG connection point role
2. Stop SMS Executive service
3. Clean up some cert data from the DB:
Update CM_RoleIdCertificates Set SerializedCertificate = NULL where RoleTypeID = 27
Update CM_RoleIdCertificates Set EncodedCertificate = NULL where RoleTypeID = 27
Update CM_RoleIdCertificates Set Thumbprint = NULL where RoleTypeID = 27
Update CM_RoleIdCertificates Set ExpirationDate = NULL where RoleTypeID = 27
Delete from CertificateData where CertType = 5
Delete From Proxy_RoleCertificates where Thumbprint = '<SMS Token Signing Thumbprint>'
4. Delete the SMS Token Signing certificate from the personal and SMS stores.
5. Start the SMS Executive service.
6. Install the CMG connection point role.

It looks like a product bug.

View solution in original post