none
Cloud Management Gateway Issue RRS feed

  • Question

  • Hello All,

    We have a CMG setup which is working for client that are domain joined and already have a PKI certificate. I verified it's functionality by forcing my machine to be on the internet and downloading and installing software without have a direct connection to our on Prem DP's. 

    We are just in the process of bringing devices into Azure. These devices are Azure AD join only. We are configuring these devices with Autopilot through intune. I have the sccm client installing onto these device through Intune app deployment. I am getting several errors regarding not being able to authenticate to the CMG with the Azure AD account. 

    Azure AD user discover is enabled in SCCM and functioning.

    I've run the connection Analyzer and all passes.

    The one thing I am unsure about is, Do I have to have a certificate issued from a public certification authority for this setup to work? We currently have the certificate issued from our internal CA. Below are a few of the error or warning messages in the ADALOperationProvider.log file. There is an error below regarding contacting a domain controller. I'm not understanding why it would be trying to do that. 

    Unable to obtain AAD token with WAM. Error Details: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

    Failed to retrieve AAD token. Error Details: A generic error occurred while acquiring user token. Error: System.AggregateException: One or more errors occurred. ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: get_user_name_failed: Failed to get user name ---> System.ComponentModel.Win32Exception: No mapping between account names and security IDs was done

    Failed to retrieve AAD token. Error Details: A generic error occurred while acquiring user token. Error: System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.ComponentModel.Win32Exception: The system cannot contact a domain controller to service the authentication request. Please try again later

    Thank you!

    Wednesday, September 18, 2019 5:01 PM

Answers

  • I was able to figure this out. I had used the wrong Application ID in the install command line. 
    • Marked as answer by zonum6 Thursday, September 19, 2019 3:23 PM
    Thursday, September 19, 2019 3:23 PM

All replies

  • Do I have to have a certificate issued from a public certification authority for this setup to work?

    No, however, you must upload the certs from your root and any intermediate/issuing CAs to Azure via the CMG connector. 

    The errors above are unrelated to your cert to my my knowledge.

    "Failed to get user name" is the key message above that stands out to me. Are you sure the user on the system has been discovered?


    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, September 18, 2019 6:18 PM
  • Are these Azure AD joined devices cloud only users, or synced from on-prem? If they are synced, both on-prem AD User Discovery and Azure AD Discovery needs to be enabled.
    Wednesday, September 18, 2019 8:55 PM
  • I was able to figure this out. I had used the wrong Application ID in the install command line. 
    • Marked as answer by zonum6 Thursday, September 19, 2019 3:23 PM
    Thursday, September 19, 2019 3:23 PM