Forums on Intune, SCCM, and Windows 11

Welcome to the forums. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your topics and posts, as well as connect with other members through your own private inbox!

PENDING VMSS CMG with PKI Setup Partially Working. Help needed

SPearson79

Member
Messages
6
Reaction score
1
Points
1
We've been setting up a new CMG (we have / had a "Classic" one but that appears to finally have stopped working) and, following the Microsoft guidance, it's up and working (partially) but there are still issues we need to get fixed.

Our clients are hybrid-joined (AD / AAD) and appear to be connecting to the new CMG and reporting that they're online and requesting policy so, from that point-of-view, everything looks great but when trying to pull any package data down it just can't find anything and it fails (I've uploaded one test package to the new DP and it claims to have distributed OK but the clients just won't pull it down).
1743668810331.png

Using the "Connection analyzer" it seems to connect fine using an Azure user account...
1743667618184.png

... but fails when trying to connect with an exported client cert (which I also THINK I've exported correctly).
1743667710335.png

So, based on that, I strongly believe that the issue is down to the PKI certificate for the CMG not being quite right and the problem SHOULD be an easy fix (for someone) but I can't find any documentation about EXACTLY how to setup the PKI cert for the CMG. It feels like I've done it as per any information I can find but it's clearly not working.

In the CMG Server cert the CN in the "Subject" and DNS name in the SAN fields match the Azure Service name. The trusted root and intermediate certs have been exported and uploaded and verified that the thumbprints match...

1743668274712.png

1743668371462.png
As per the information here...

You should be able to check the cert presented by browsing to...
https://<CMGFQDN>/CCM_Proxy_MutualAuth/ServiceMetadata

But I get the following...
1743668585788.png

I'm struggling with this with the CMG being an appliance that we have no access to and there's not a lot in the way of server logs to look at.

Any help / pointers would be appreciated.

Thanks in advance...
 

Forum statistics

Threads
7,026
Messages
27,491
Members
17,677
Latest member
Nairolf

Trending content

Back
Top