none
403 Error CMGConnector_Clientcertificaterequired error with Clound Management Gateway

    Question

  • Hello,

    I just setup a new CMG.  When I check the LocationServices log on a client I see an 403 Error CMGConnector_Clientcertificaterequired error.  I check the client has a proper SCCM Client authentication certificate.  Has anyone else had this issue?

    Thanks,

    Jason

    Thursday, October 25, 2018 6:01 PM

Answers

  • Well after many months with MS SCCM Support and no results, I think I finally nailed it!!!  

    What I found is that even though we set Certificate Revocation check to False on both the CMG and Site Server PKI, we still had the issue on the CMG Connection Point.

    What I found was a lovely registry key ClientCertSelectionNoCRLCheck at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SMS_CLOUD_PROXYCONNECTOR

    Set this value to 1 then restart Cloud Proxy Connector or your entire SCCM.  This issue should now be resolved.  I have asked MS SCCM Support to analyze these changes and why they are not documented.

    There is also a VerboseLogging key in this same location to enhance the logging from CMG Connection point if your still having issues.

    -Jason






    • Marked as answer by JasonLev1 Saturday, January 12, 2019 10:43 AM
    • Edited by JasonLev1 Saturday, January 12, 2019 10:57 AM
    Saturday, January 12, 2019 10:43 AM

All replies

  • When its on the intranet does it communicate ok?

    When you deployed the CMG, did you use the correct Trusted Root cert from the client?

    If you export the client certificate as PFX (and use a password) you can then use that cert in the CMG Connection Analyzer. If you run that, what errors do you get?

    Is the MP configured for CMG traffic? 

    Thursday, October 25, 2018 9:33 PM
  • Hi Jason,

    You could check these points as Nick said first.

    I don't have a CMG environment, please refer to this video and related links to confirm if there is any omission again.
    https://setupconfigmgr.com/how-to-setup-cloud-management-gateway-cmg-in-microsoft-sccm

    Best regards,

    Yuxiang


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 26, 2018 5:27 AM
  • Are you computers hybrid AD joined? Which version of SCCM CB? You don't need client certs for hybrid ad joined machines.

    BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo


    • Edited by John Marcum Saturday, October 27, 2018 1:20 AM
    Saturday, October 27, 2018 1:20 AM
  • Hello Nick,

    It has been over a year and I have revisited this subject.  I have completely re-deployed the CMG.

    I still am receiving the client errors.  When I try the Connection Analyzer the Azure AD user login works fine.  When I try a client authentication cert I get and error at the very last step.  Any ideas?

    Failed to refresh MP location. Status code is '403' and status description is 'CMGConnector_Clientcertificaterequired'.
    A possible reason for this failure is the CMG connection point failed to forward the message to the management point. Client certificate is missed or not being selected on the CMG connection point for mutual SSL communication with the management point.

    Thursday, November 29, 2018 12:38 AM
  • I am just normal domain joined at the moment with AD Sync to Azure.
    Thursday, November 29, 2018 12:39 AM
  • Unless you have a hard requirements to use a certificate I strongly advise using AAD authen tokens instead. It's way easier to get it working that way.

    BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo

    Thursday, November 29, 2018 2:08 PM
  • Thanks, John.  I will consider your advice since I have an open Support ticket with MS SCCM group and they are not sure how to solve at this point..

    -Jason

    Thursday, November 29, 2018 3:59 PM
  • I feel certain there's an issue with your client auth cert which they should be able to fix but try using Azure auth to see what happens. Basically in the analyzer just select Azure AD user instead of client cert and see if the analyzer completes without issue.

    BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo

    Thursday, November 29, 2018 4:04 PM
  • Yes AZure Auth works 100% fine in the analyzer.

    Thanks,

    Jason

    Thursday, November 29, 2018 5:28 PM
  • Did you create the client auth cert exactly like this:

    https://docs.microsoft.com/en-us/sccm/core/plan-design/network/example-deployment-of-pki-certificates


    BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo

    Friday, November 30, 2018 2:13 AM
  • Yes.  I follow https://docs.microsoft.com/en-us/sccm/core/plan-design/network/example-deployment-of-pki-certificates#BKMK_client2008_cm2012

    Exactly.  There really is not much to that.  They are deployed to every machine in the company.  

    Friday, November 30, 2018 3:33 PM
  • After pulling  my hair out, I think I have a question.

    In SMS_CLOUD_PROXYCONNECTOR I see SCCM connecting to the CMG using a SMS self signed certificate and not one from my CA??  How do I tell the CGM Connector role what Cert to use???  This is why my client cert authentications are not passing through..

    Thanks,

    Jason

    Friday, November 30, 2018 6:53 PM
  • Does the CMG connection point have the client auth certifciate?

    https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/certificates-for-cloud-management-gateway#bkmk_clientauth

    Client authentication certificate:
    The CMG connection point requires this certificate to securely forward client requests to an HTTPS management point. If you're using Azure AD or Enhanced HTTP, this certificate isn't required. For more information, see Enable management point for HTTPS.
    Friday, November 30, 2018 7:27 PM
  • Yes all my machines on the network have a SCCM Client cert issued.

    Like I mention previously, when the CMG Connection point connects to the CMG, it DOES NOT use the Client Auth certificate present.  Instead it uses a Self Signed Certificate out of the SMS folder.  This is what I believe is the root cause of this issue.  MS has been looking for days and they have no clue at the moment..

    



    • Edited by JasonLev1 Friday, December 7, 2018 2:53 PM
    Friday, December 7, 2018 2:49 PM
  • I think this is by design. Can you send me the SMS_Cloud_ProxyConnector.log, CloudMgr.log, CMGService.log and CMGHttpHandler.log?


    BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo


    • Edited by John Marcum Friday, December 7, 2018 3:32 PM
    Friday, December 7, 2018 3:27 PM
  • What do you have configured here:


    BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo

    Friday, December 7, 2018 3:38 PM
  • Hi John,

    I have a self signed cert matching the Microsoft service name.  I also have added my Root and Intermediate CA certs.  I have no problem sending you logs if you are willing.  So far this has blocked me for a long while.  MS SCCM support has no idea.  Let me know your email.

    Thanks,

    Jason

    Friday, December 7, 2018 9:54 PM
  • Email me the logs. It will be Monday before I can look at them though. john marcum at outlook dot com.

    BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo

    Friday, December 7, 2018 10:06 PM
  • I appreciate your time John.  I sent you some info yesterday.

    -Jason

    Tuesday, December 11, 2018 1:16 PM
  • Any Luck on this ? I have the same identical problem and can't trace why its happening. 

    You-Leah

    Wednesday, December 19, 2018 9:21 PM
  • No, MS Support says it is still "Researching" as of yesterday.  I have not heard anything also from John above whom I sent a few log files to.

    My next step may be to RDP to the Azure CMG and see what is going on in the IIS config and logs on that server.

    As soon as I know, I will certainly post information.

    -Jason



    • Edited by JasonLev1 Friday, December 21, 2018 12:36 PM
    Friday, December 21, 2018 12:21 PM
  • TBH... I forgot about it. Let me go see if I can find the logs you sent me. 

    BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo

    Friday, December 21, 2018 2:33 PM
  • Jason,

    I don't see the logs in my inbox. Can you shoot me an email without them attached please?


    BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo

    Friday, December 21, 2018 3:16 PM
  • Hi John,

    Just sent you a message from my hotmail.

    Thanks,

    Jason

    Friday, December 21, 2018 10:03 PM
  • Ive turned on logging for Certs on my primary/https enabled MP and when i run a connection analyzer, i trace the messaging - as of right now i see that CRL checking is failing for the web cert that CMG is presenting. I dont have CRL checking configured, i have it disabled in all the right places inside of SCCM, as well as in the registry. 

    You-Leah

    Friday, December 21, 2018 10:30 PM
  • Got this fixed by publishing a CRL accessible externally, and internally, reissued all the certs - everything works as designed now. Seems CRL checking is taking place even if its disabled. 

    You-Leah

    Thursday, January 10, 2019 10:18 PM
  • Well after many months with MS SCCM Support and no results, I think I finally nailed it!!!  

    What I found is that even though we set Certificate Revocation check to False on both the CMG and Site Server PKI, we still had the issue on the CMG Connection Point.

    What I found was a lovely registry key ClientCertSelectionNoCRLCheck at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SMS_CLOUD_PROXYCONNECTOR

    Set this value to 1 then restart Cloud Proxy Connector or your entire SCCM.  This issue should now be resolved.  I have asked MS SCCM Support to analyze these changes and why they are not documented.

    There is also a VerboseLogging key in this same location to enhance the logging from CMG Connection point if your still having issues.

    -Jason






    • Marked as answer by JasonLev1 Saturday, January 12, 2019 10:43 AM
    • Edited by JasonLev1 Saturday, January 12, 2019 10:57 AM
    Saturday, January 12, 2019 10:43 AM