tjwsysengineer
New Member
Has anyone utilized the Azure AD authentication option for installation of the Configuration Manager client? I don't have a public cert, so I don't think my internal CA PKI solution will work for off-premises devices that have never and maybe will never be on-prem to receive the cert through domain GPO and then trust it.
I've read that Azure AD authentication can be used as a solution to install the Config Mgr client for AAD joined devices, which the off-premises devices are.
"To install the Configuration Manager client on Windows devices using Azure Active Directory (Azure AD) authentication, integrate Configuration Manager with Azure AD. Clients can be on the intranet communicating directly with an HTTPS-enabled management point or any management point in a site enabled for Enhanced HTTP. They can also be internet-based communicating through the CMG or with an Internet-based management point. This process uses Azure AD to authenticate clients to the Configuration Manager site. Azure AD replaces the need to configure and use client authentication certificates."
<![LOG[Failed (0x80070057) to send location request to 'HOSTNAME.LOCATION.CLOUDAPP.AZURE.COM/CCM_Proxy_MutualAuth/72057594037927171'. StatusCode 200, StatusText '']LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17256" file="ccmhttplib.cpp:324">
<![LOG[Failed to send location message to 'HOSTNAME.LOCATION.CLOUDAPP.AZURE.COM/CCM_Proxy_MutualAuth/72057594037927171'. Status text '']LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17256" file="siteinfo.cpp:153">
<![LOG[GetDPLocations failed with error 0x80070057]LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17256" file="siteinfo.cpp:614">
<![LOG[Failed to get DP locations as the expected version from MP 'HOSTNAME.LOCATION.CLOUDAPP.AZURE.COM/CCM_Proxy_MutualAuth/72057594037927171'. Error 0x80070057]LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="2" thread="17256" file="ccmsetup.cpp:12274">
<![LOG[Cannot get client package location from CMG MP.]LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="1" thread="17256" file="ccmsetup.cpp:12037">
<![LOG[Client is not installed yet. Ignore all upgrade exclusion flags.]LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="1" thread="17256" file="setupenv.cpp:824">
I realized my testing omitted the S in HTTPS, which might have caused the error. Changing to HTTPS results in invalid CA errors. I thought this Azure AD Identity process worked around the need for certificates in the CMG configuration.
LOG]!><time="14:39:37.677+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17112" file="ccmhttperror.cpp:57">
<![LOG[[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered]LOG]!><time="14:39:37.677+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17112" file="ccmhttperror.cpp:58">
<![LOG[[CCMHTTP] : dwStatusInformationLength is 4
]LOG]!><time="14:39:37.677+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17112" file="ccmhttperror.cpp:59">
<![LOG[[CCMHTTP] : *lpvStatusInformation is 0x8
]LOG]!><time="14:39:37.677+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17112" file="ccmhttperror.cpp:60">
<![LOG[[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set
]LOG]!><time="14:39:37.677+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17112" file="ccmhttperror.cpp:76">
I've read that Azure AD authentication can be used as a solution to install the Config Mgr client for AAD joined devices, which the off-premises devices are.
"To install the Configuration Manager client on Windows devices using Azure Active Directory (Azure AD) authentication, integrate Configuration Manager with Azure AD. Clients can be on the intranet communicating directly with an HTTPS-enabled management point or any management point in a site enabled for Enhanced HTTP. They can also be internet-based communicating through the CMG or with an Internet-based management point. This process uses Azure AD to authenticate clients to the Configuration Manager site. Azure AD replaces the need to configure and use client authentication certificates."
Install the client with Azure AD - Configuration Manager
Install and assign the Configuration Manager client on Windows devices using Azure Active Directory for authentication
learn.microsoft.com
Co-manage internet-based devices - Configuration Manager
Learn how to prepare your Windows internet-based devices for co-management.
learn.microsoft.com
<![LOG[Failed (0x80070057) to send location request to 'HOSTNAME.LOCATION.CLOUDAPP.AZURE.COM/CCM_Proxy_MutualAuth/72057594037927171'. StatusCode 200, StatusText '']LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17256" file="ccmhttplib.cpp:324">
<![LOG[Failed to send location message to 'HOSTNAME.LOCATION.CLOUDAPP.AZURE.COM/CCM_Proxy_MutualAuth/72057594037927171'. Status text '']LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17256" file="siteinfo.cpp:153">
<![LOG[GetDPLocations failed with error 0x80070057]LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17256" file="siteinfo.cpp:614">
<![LOG[Failed to get DP locations as the expected version from MP 'HOSTNAME.LOCATION.CLOUDAPP.AZURE.COM/CCM_Proxy_MutualAuth/72057594037927171'. Error 0x80070057]LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="2" thread="17256" file="ccmsetup.cpp:12274">
<![LOG[Cannot get client package location from CMG MP.]LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="1" thread="17256" file="ccmsetup.cpp:12037">
<![LOG[Client is not installed yet. Ignore all upgrade exclusion flags.]LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="1" thread="17256" file="setupenv.cpp:824">
I realized my testing omitted the S in HTTPS, which might have caused the error. Changing to HTTPS results in invalid CA errors. I thought this Azure AD Identity process worked around the need for certificates in the CMG configuration.
LOG]!><time="14:39:37.677+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17112" file="ccmhttperror.cpp:57">
<![LOG[[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered]LOG]!><time="14:39:37.677+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17112" file="ccmhttperror.cpp:58">
<![LOG[[CCMHTTP] : dwStatusInformationLength is 4
]LOG]!><time="14:39:37.677+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17112" file="ccmhttperror.cpp:59">
<![LOG[[CCMHTTP] : *lpvStatusInformation is 0x8
]LOG]!><time="14:39:37.677+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17112" file="ccmhttperror.cpp:60">
<![LOG[[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set
]LOG]!><time="14:39:37.677+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17112" file="ccmhttperror.cpp:76">