Monthly Archives: October 2018

SCCM 1806 CMG – Hybrid Azure AD – Failed to get CCM access token

When using the Cloud Management Gateway in SCCM Current Branch 1806, with Hybrid Azure AD clients for authentication, you may see the following errors in ccmmessaging.log on the client:

[CCMHTTP] ERROR: URL=https://<cmgname>/CCM_Proxy_MutualAuth/<guid>/ccm_system_windowsauth/request, Port=0, Options=1216, Code=0, Text=CCM_E_NO_TOKEN_AUTH
Failed to get CCM access token and client doesn’t have PKI issued cert to use SSL. Error 0x80004005
Post to https://<cmgname>/CCM_Proxy_MutualAuth/<guid>/ccm_system_windowsauth/request failed with 0x87d00231.

2018-10-26_10-30-05

If you then check the logs on the management point, specifically CCM_STS.log, you will see:

AAD user with ID <ID> and SID is not completely discovered
Return code: 403, Description: Un-authorized request, AAD user is not discovered

2018-10-26_10-28-30

At the time of writing this post, if you are using hybrid Azure AD for authentication, you need enable both Azure AD User Discovery, and the on-premises User Discovery. You can see in the CCM_STS.log above that it says the Azure AD user is not discovered which causes the 403 error.

Once both user discovery methods have been enabled, the client can authenticate over the CMG.

Advertisements

SCCM 1806 – Third Party Updates Error 13875

Recently when adding a catalog to the third party software update catalogs in SCCM Current Branch 1806 and trying to synchronize, I encountered the error “Unable to create the subscription. The console failed to download <product> from <URL> because of the error code 13875. For more information, see SmsAdminUI logfile.”

tpa01

The error code 13875 means “Invalid certificate signature“. For more troubleshooting I downloaded the cab file by opening up IE and pasting in the link. Once the cab file was downloaded, I right clicked on the file then properties, clicked Digital Signatures tab:

tpa02

Then here my issue was that the certificate in the signature could not be verified. I clicked on View Certificate to view more details.

tpa03

My issue was that on the client server, it was missing some Trusted Root certificates. After these were installed the third party updates could then be synchronized to SCCM Current Branch 1806 without issues.

tpa04