none
CM 1810 - Hybrid joined clients not connecting to CMG with PKI error RRS feed

  • Question

  • I'm attempting to stand up a cloud management gateway in our test environment, but I'm running into some issues with (what I believe) are certificates.

    To start off, I'm running 1810. I've enabled the "use configuration manager-generated certificates for HTTP site systems " option and I've got the CMG up and running. From what I can tell, everything is working as it should in Azure and here in our test environment. All checks return green when I run the connection analyzer, and from what I can tell the ProxyService and Cloud_proxyconnector logs are clean. No errors that I can see.

    My clients are hybrid joined to AD and our Azure tenant, and all of my test computers are showing no issues with the hybrid join side of things.

    This is where things go off the rails. When I set the ClientAlwaysOnInternet to 1 in the registry for testing, I can see where the client is attempting to hit the CMG (which is good), but seems to fail with an error "Failed to get client certificate for transportation. Error 0x87d00281" and the proceeding error is CCM_E_NO_CLIENT_PKI_CERT.

    We don't have a PKI setup because it's my understanding that if a computer is hybrid joined we don't need one. Is this correct? If so, can anyone advise on where I should start looking to troubleshoot? I've been digging around and searching online for a few days now with no luck. I even RDP'd to the CMG itself but I didn't find anything of value there. Thanks.

    Thursday, January 10, 2019 5:00 PM

Answers

  • I finally figured it out, and it was one of those stupid things. My test machines were still running build 1607. Not sure how they made it past my sweep to 1803 but that seems to have been the issue. Once I upgraded the client to 1803 everything started working as it should.


    • Marked as answer by Bryce17 Thursday, January 17, 2019 4:10 AM
    Thursday, January 17, 2019 4:10 AM

All replies

  • Have you configured Azure AD user discovery and on-prem active directory user discovery?

    Is that error in ccmmessaging.log on the client? 
    What is in CCM_STS.log on your management point?

    Friday, January 11, 2019 4:21 AM
  • Yes, but I did some digging and found out that the Azure Apps didn't have the correct permissions to read from Azure AD. Once that was corrected I ran a full sync that completed successfully, but still no luck with the clients. I ran full syncs for the SCCM and Azure discoveries again but still no luck.

    ccmmessaging has "Failed to get CCM access token and client doesn't have PKI issued cert to use SSL. Error 0x87d00215"

    CCM_STS looks clean. Just a lot of Created and issued SCCM Token messages. No errors and it's actually pretty small. Less than 10 events a day.

    Friday, January 11, 2019 8:17 PM
  • Can you see any info in ADALOperationProvider.log on the client?

    So the user thats logged in has been discovered by on-prem user discovery and also azure AD user discovery? I had almost the same error where on-prem and azure ad user discovery fixed it https://nhogarth.net/2018/10/26/sccm-1806-cmg-hybrid-azure-ad-failed-to-get-ccm-access-token/
    Friday, January 11, 2019 10:49 PM
  • Sunday, January 13, 2019 10:28 AM
  • Actually that's the article that pointed me in the direction of my initial azure ad discovery issue. The error wasn't exactly the same, but it was similar enough to point me in the direction of my azure ad discovery sync. Sure enough, a full sync hadn't run and I found some permission related errors in the sync log.

    Now that I got that up and running my cloud management dashboard looks better. I've got numbers for both azure ad users and on-prem users.

    I verified the user I'm logged in with has been discovered by on-prem and azure AD user discovery, and my test clients are recognized in SCCM as hybrid azure ad clients.

    I actually thing I've got something else going on possibly unrelated to the CMG but affecting it. When I flip my clients back to intranet mode, there is an error in the ccmmessaging log that isn't present on clients in my production environment. The error is "Failed to get CCM access token while token auth is required. Error 0x87d00215". Again, we're not using PKI (this site is HTTP) and all MPs are configured for HTTP, so I'm not sure where this error is coming from. I even tried a fresh client install on a new build and got the same error, so I know it's the site. I may have to figure this out first unless someone else says it's unrelated.
    Monday, January 14, 2019 3:21 AM
  • I finally figured it out, and it was one of those stupid things. My test machines were still running build 1607. Not sure how they made it past my sweep to 1803 but that seems to have been the issue. Once I upgraded the client to 1803 everything started working as it should.


    • Marked as answer by Bryce17 Thursday, January 17, 2019 4:10 AM
    Thursday, January 17, 2019 4:10 AM