SPearson79
Member
- Messages
- 6
- Reaction score
- 1
- Points
- 1
We've been setting up a new CMG (we have / had a "Classic" one but that appears to finally have stopped working) and, following the Microsoft guidance, it's up and working (partially) but there are still issues we need to get fixed.
Our clients are hybrid-joined (AD / AAD) and appear to be connecting to the new CMG and reporting that they're online and requesting policy so, from that point-of-view, everything looks great but when trying to pull any package data down it just can't find anything and it fails (I've uploaded one test package to the new DP and it claims to have distributed OK but the clients just won't pull it down).

Using the "Connection analyzer" it seems to connect fine using an Azure user account...

... but fails when trying to connect with an exported client cert (which I also THINK I've exported correctly).

So, based on that, I strongly believe that the issue is down to the PKI certificate for the CMG not being quite right and the problem SHOULD be an easy fix (for someone) but I can't find any documentation about EXACTLY how to setup the PKI cert for the CMG. It feels like I've done it as per any information I can find but it's clearly not working.
In the CMG Server cert the CN in the "Subject" and DNS name in the SAN fields match the Azure Service name. The trusted root and intermediate certs have been exported and uploaded and verified that the thumbprints match...


As per the information here...
You should be able to check the cert presented by browsing to...
https://<CMGFQDN>/CCM_Proxy_MutualAuth/ServiceMetadata
But I get the following...

I'm struggling with this with the CMG being an appliance that we have no access to and there's not a lot in the way of server logs to look at.
Any help / pointers would be appreciated.
Thanks in advance...
Our clients are hybrid-joined (AD / AAD) and appear to be connecting to the new CMG and reporting that they're online and requesting policy so, from that point-of-view, everything looks great but when trying to pull any package data down it just can't find anything and it fails (I've uploaded one test package to the new DP and it claims to have distributed OK but the clients just won't pull it down).

Using the "Connection analyzer" it seems to connect fine using an Azure user account...

... but fails when trying to connect with an exported client cert (which I also THINK I've exported correctly).

So, based on that, I strongly believe that the issue is down to the PKI certificate for the CMG not being quite right and the problem SHOULD be an easy fix (for someone) but I can't find any documentation about EXACTLY how to setup the PKI cert for the CMG. It feels like I've done it as per any information I can find but it's clearly not working.
In the CMG Server cert the CN in the "Subject" and DNS name in the SAN fields match the Azure Service name. The trusted root and intermediate certs have been exported and uploaded and verified that the thumbprints match...


As per the information here...

Configuration Manager Clients Can't Communicate with CMG - Configuration Manager
Provides details about log files and solutions to common issues when Configuration Manager clients can't communicate with CMG.
learn.microsoft.com
You should be able to check the cert presented by browsing to...
https://<CMGFQDN>/CCM_Proxy_MutualAuth/ServiceMetadata
But I get the following...

I'm struggling with this with the CMG being an appliance that we have no access to and there's not a lot in the way of server logs to look at.
Any help / pointers would be appreciated.
Thanks in advance...