Cloud Management Gateway with Sub CA

The new Cloud Management Gateway is going to make a big difference in the way we manage endpoints away from home in the future. The feature is a System Center Configuration Manager 1610 pre-release feature. Being a pre-release typically means = a little troubleshooting is required to get the feature working in different environments. In my previous blog post I described an issue with software update scan failing. The troubleshooting steps used in this blog post, are similar what I have described there.

In this environment we have a PKI with a Sub CA, and as part of the certificate upload somehow the certificate chain was broken (and yes, there is a script that describes how to upload the cert).

Client errors

In this example the error message in ccmmessaging.log (on the Internet client) was:

Post to https://MyCMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037928257/ccm_system/request failed with 0x87d00231.

a couple of things to check when this happen:

  1. From a client, open IE and see if you can browse to https://MyCMG.CLOUDAPP.NET. if you get an error like 403, something is broken and you need to dig into the IIS log files on the Azure box.

    image

  2. Enable remote desktop on the cloud management gateway, and open the IIS log files to investigate further. In this example the log file had several lines like the one below. This error indicates

    2017-03-14 09:15:47 W3SVC1273337584 RD00155D81000 IPadr CCM_POST /CCM_Proxy_MutualAuth/72057594037928257/ccm_system/request – 443 – IP adr HTTP/1.1 ccmhttp – – mycmg.cloudapp.net 401 0 0 1589 3928 78

  3. Next step in troubleshooting is opening the certificate manager snap-in and check the computer store. In here your CMG certificate chain should include the correct certificate chain. as you can see in the illustration, the issuer of this certificate can’t be found, and as such our trust is broken.

    image

  4. To fix the issue, copy and import your missing root certificate(s) to the Azure cloud management gateway server. The certificates are to be imported to the Intermediate Certification store. The correct way to get this done, is by running the script as described in this blog post – https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway. If you upload the certificate manually it might be overwritten during maintenance of the virtual machine in Azure.

    image

After that, check you ccmmessaging log and you should see traffic floating – once again………VPN is not really the way forward in the world of modern device management Smile

By | 2017-03-15T10:54:35+00:00 March 15th, 2017|Configuration Manager (SCCM), General info|8 Comments

About the Author:

Kent Agerlund

Microsoft Regional Director, Enterprise Mobility MVP. Microsoft Certified Trainer and Principal consultant. I have been working with Enterprise client management since 1992. Co-founder of System Center User Group Denmark in 2009.

Certified MCITP: Enterprise Administrator, MCSA+Messaing, and much more.

Member of: Microsoft Denmark System Center Partner Expert Team The Danish Technet Influencers program System Center Influencers Program.

8 Comments

  1. SImon July 25, 2017 at 14:58 - Reply

    Hi Kent,
    I have an issue with my CMG and IIS showing 403.16 errors, my CMG has a trusted root certificate in the Intermediate store but the CMG server itself myservername.cloudapp.net server signing certificate is saying “The issuer of this certificate could not be found”
    What would cause this? Thank you for your help

  2. Scott August 4, 2017 at 17:10 - Reply

    Hello Kent,

    I did what you have detailed here but am still seeing “The Issuer of this certificate could not be found”. Any help on what else you may have done to solve thus?

  3. Kent Agerlund August 4, 2017 at 17:29 - Reply

    You might have multiple issuing certificate servers. In that case all certs must be uploaded

  4. Scott August 4, 2017 at 19:54 - Reply

    We only have 1 cert server. Is there anything else you had to do besides running the thumbprint script to get it to show the correct path?

  5. Kent Agerlund August 4, 2017 at 20:53 - Reply

    Log into the server in Azure, open the cert MMC and verify both cert are there

  6. JJ August 9, 2017 at 22:36 - Reply

    If i add the certs through Azure – they disappear after running the script (on the SCCM database) and still show just the 1, instead of the 3 total certs. What can be causing them to disappear? I am assuming i have to add them through Azure, then also manually and ALSO run the script.

  7. JJ August 9, 2017 at 22:45 - Reply

    Do I also have to add the SubCA certs to the “CMG” portion on the SCCM server under the properties of the CMG? It currently only shows the master, should i also be adding the SubCA’s?

  8. Kent Agerlund August 9, 2017 at 22:47 - Reply

    Yes, you need the entire cert chain

Leave A Comment