Cloud Management Gateway with Sub CA

The new Cloud Management Gateway is going to make a big difference in the way we manage endpoints away from home in the future. The feature is a System Center Configuration Manager 1610 pre-release feature. Being a pre-release typically means = a little troubleshooting is required to get the feature working in different environments. In my previous blog post I described an issue with software update scan failing. The troubleshooting steps used in this blog post, are similar what I have described there.

In this environment we have a PKI with a Sub CA, and as part of the certificate upload somehow the certificate chain was broken (and yes, there is a script that describes how to upload the cert).

Client errors

In this example the error message in ccmmessaging.log (on the Internet client) was:

Post to https://MyCMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037928257/ccm_system/request failed with 0x87d00231.

a couple of things to check when this happen:

  1. From a client, open IE and see if you can browse to https://MyCMG.CLOUDAPP.NET. if you get an error like 403, something is broken and you need to dig into the IIS log files on the Azure box.

    image

  2. Enable remote desktop on the cloud management gateway, and open the IIS log files to investigate further. In this example the log file had several lines like the one below. This error indicates

    2017-03-14 09:15:47 W3SVC1273337584 RD00155D81000 IPadr CCM_POST /CCM_Proxy_MutualAuth/72057594037928257/ccm_system/request – 443 – IP adr HTTP/1.1 ccmhttp – – mycmg.cloudapp.net 401 0 0 1589 3928 78

  3. Next step in troubleshooting is opening the certificate manager snap-in and check the computer store. In here your CMG certificate chain should include the correct certificate chain. as you can see in the illustration, the issuer of this certificate can’t be found, and as such our trust is broken.

    image

  4. To fix the issue, copy and import your missing root certificate(s) to the Azure cloud management gateway server. The certificates are to be imported to the Intermediate Certification store. The correct way to get this done, is by running the script as described in this blog post – https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway. If you upload the certificate manually it might be overwritten during maintenance of the virtual machine in Azure.

    image

After that, check you ccmmessaging log and you should see traffic floating – once again………VPN is not really the way forward in the world of modern device management Smile


Comments (8):

  1. SImon says:

    Hi Kent,
    I have an issue with my CMG and IIS showing 403.16 errors, my CMG has a trusted root certificate in the Intermediate store but the CMG server itself myservername.cloudapp.net server signing certificate is saying “The issuer of this certificate could not be found”
    What would cause this? Thank you for your help

  2. Scott says:

    Hello Kent,

    I did what you have detailed here but am still seeing “The Issuer of this certificate could not be found”. Any help on what else you may have done to solve thus?

  3. Kent Agerlund says:

    You might have multiple issuing certificate servers. In that case all certs must be uploaded

  4. Scott says:

    We only have 1 cert server. Is there anything else you had to do besides running the thumbprint script to get it to show the correct path?

  5. Kent Agerlund says:

    Log into the server in Azure, open the cert MMC and verify both cert are there

  6. JJ says:

    If i add the certs through Azure – they disappear after running the script (on the SCCM database) and still show just the 1, instead of the 3 total certs. What can be causing them to disappear? I am assuming i have to add them through Azure, then also manually and ALSO run the script.

  7. JJ says:

    Do I also have to add the SubCA certs to the “CMG” portion on the SCCM server under the properties of the CMG? It currently only shows the master, should i also be adding the SubCA’s?

  8. Kent Agerlund says:

    Yes, you need the entire cert chain

Leave a Reply