Cloud Management Gateway with Sub CA

The new Cloud Management Gateway is going to make a big difference in the way we manage endpoints away from home in the future. The feature is a System Center Configuration Manager 1610 pre-release feature. Being a pre-release typically means = a little troubleshooting is required to get the feature working in different environments. In my previous blog post I described an issue with software update scan failing. The troubleshooting steps used in this blog post, are similar what I have described there.

In this environment we have a PKI with a Sub CA, and as part of the certificate upload somehow the certificate chain was broken (and yes, there is a script that describes how to upload the cert).

Client errors

In this example the error message in ccmmessaging.log (on the Internet client) was:

Post to https://MyCMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037928257/ccm_system/request failed with 0x87d00231.

a couple of things to check when this happen:

  1. From a client, open IE and see if you can browse to https://MyCMG.CLOUDAPP.NET. if you get an error like 403, something is broken and you need to dig into the IIS log files on the Azure box.

    image

  2. Enable remote desktop on the cloud management gateway, and open the IIS log files to investigate further. In this example the log file had several lines like the one below. This error indicates

    2017-03-14 09:15:47 W3SVC1273337584 RD00155D81000 IPadr CCM_POST /CCM_Proxy_MutualAuth/72057594037928257/ccm_system/request – 443 – IP adr HTTP/1.1 ccmhttp – – mycmg.cloudapp.net 401 0 0 1589 3928 78

  3. Next step in troubleshooting is opening the certificate manager snap-in and check the computer store. In here your CMG certificate chain should include the correct certificate chain. as you can see in the illustration, the issuer of this certificate can’t be found, and as such our trust is broken.

    image

  4. To fix the issue, copy and import your missing root certificate(s) to the Azure cloud management gateway server. The certificates are to be imported to the Intermediate Certification store. The correct way to get this done, is by running the script as described in this blog post – https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway. If you upload the certificate manually it might be overwritten during maintenance of the virtual machine in Azure.

    image

After that, check you ccmmessaging log and you should see traffic floating – once again………VPN is not really the way forward in the world of modern device management Smile


Leave a Reply