SCCM TP 1805 – CMG Connection Analyzer

One of the nice new features in the SCCM Technical Preview 1805 is the CMG Connection analyzer to help you determine issues with your Cloud Management Gateway. At the moment it allows you to troubleshoot as a user authenticating through Azure AD, and a user authenticating with a client authentication certificate.

This post will show the different checks that the Connection analyzer performs, and the types of errors it displays when something has gone wrong. I will include a few scenario’s of me breaking my CMG and what the Connetion analyzer shows.

You will notice in the CMG section there is a new button called Connection analyzer.

CA01

You can see the different authentication options you get. First I will test logging in as an Azure AD user. You can see that the first two steps involve checking that the service is running and testing connecting to it.

CA02

Next we can see that its checking the configuration versions to make sure it matches between on-prem and Azure.

CA03

Here in my lab you can see that the next step checks the CMG connection point and confirms that it is connected.

CA04

I have set my management point to allow CMG traffic, the test confirms this.

CA05

The Azure AD user can authenticate against my management point without any issues.

CA06

Now if I was to break the certificate on my management point IIS bindings and run the test again, you can see that the test fails and reports some 500 status code errors and gives possible reasons.

CA07

Next up is testing using a client certificate. You have two options to load the certificate. You can either export the client authentication certificate from a machine with the private key, or you can connect to the Certificate Store.

CA072

In this Tech Preview when you try to connect to the Certificate Store, it will try to connect to the User Store and then report that there are no certificates available. So for this post I have chosen to export the client authentication certificate to run through the tests.

CA08

You can see below that it has the same steps as testing authenticating as an Azure AD user.

CA09

I have broken my Cloud Management Gateway Point role in my lab and run through the tests again to see what it fails on. You can see that it fails as it can’t connect to the CMG Service.

CA010_2

The same as below.

CA11

Another interesting scenario is if I use an incorrect Client trusted root certificate that is uploaded to the CMG service. You can see that it fails below with the 403 forbidden status code.

CA10

And again, you can see that it says that the certificate is not trusted by the CMG.

CA12

That is all the tests I have run so far. So far it is a good start. It seems quite a few customers have issues getting their CMG up and running, I think it is mostly to do with certificates. Hopefully in the future the descriptions can be improved with more details as to what could be wrong in the Connection analyzer to help customers troubleshoot more. The Cloud Management Gateway is an awesome feature.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s