Tag Archives: tech preview

SCCM TP 1805 – CMG Connection Analyzer

One of the nice new features in the SCCM Technical Preview 1805 is the CMG Connection analyzer to help you determine issues with your Cloud Management Gateway. At the moment it allows you to troubleshoot as a user authenticating through Azure AD, and a user authenticating with a client authentication certificate.

This post will show the different checks that the Connection analyzer performs, and the types of errors it displays when something has gone wrong. I will include a few scenario’s of me breaking my CMG and what the Connetion analyzer shows.

You will notice in the CMG section there is a new button called Connection analyzer.

CA01

You can see the different authentication options you get. First I will test logging in as an Azure AD user. You can see that the first two steps involve checking that the service is running and testing connecting to it.

CA02

Next we can see that its checking the configuration versions to make sure it matches between on-prem and Azure.

CA03

Here in my lab you can see that the next step checks the CMG connection point and confirms that it is connected.

CA04

I have set my management point to allow CMG traffic, the test confirms this.

CA05

The Azure AD user can authenticate against my management point without any issues.

CA06

Now if I was to break the certificate on my management point IIS bindings and run the test again, you can see that the test fails and reports some 500 status code errors and gives possible reasons.

CA07

Next up is testing using a client certificate. You have two options to load the certificate. You can either export the client authentication certificate from a machine with the private key, or you can connect to the Certificate Store.

CA072

In this Tech Preview when you try to connect to the Certificate Store, it will try to connect to the User Store and then report that there are no certificates available. So for this post I have chosen to export the client authentication certificate to run through the tests.

CA08

You can see below that it has the same steps as testing authenticating as an Azure AD user.

CA09

I have broken my Cloud Management Gateway Point role in my lab and run through the tests again to see what it fails on. You can see that it fails as it can’t connect to the CMG Service.

CA010_2

The same as below.

CA11

Another interesting scenario is if I use an incorrect Client trusted root certificate that is uploaded to the CMG service. You can see that it fails below with the 403 forbidden status code.

CA10

And again, you can see that it says that the certificate is not trusted by the CMG.

CA12

That is all the tests I have run so far. So far it is a good start. It seems quite a few customers have issues getting their CMG up and running, I think it is mostly to do with certificates. Hopefully in the future the descriptions can be improved with more details as to what could be wrong in the Connection analyzer to help customers troubleshoot more. The Cloud Management Gateway is an awesome feature.

Advertisements

SCCM Technical Preview 1805 – Improved secure client communications

One of the nice new features in the SCCM Technical Preview 1805 is the ability for an Azure AD joined device to communicate through the Cloud Management Gateway when the management point is configured for HTTP and not HTTPS. In the SCCM 1802 production release, the management point needs to be in HTTPS for this to work.

To view more about this feature see https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1805#improved-secure-client-communications

The post below will show how to configure an Azure AD joined Windows 10 1803 device communicate with the CMG whilst the management point is in HTTP mode. This post assumes that you have already created the Azure services and Cloud Management Gateway, and that the MP is in HTTP mode.

The first step is to check the box Use Configuration Manager-generated certificates for HTTP site systems on the site properties.

HTTPCMG01

Once it has been checked, if you open up computer certificates in MMC, you will see there is a new SMS Role SSL Certificate in the personal store.

HTTPCMG02

Once the certificate has been generated, you need to update your cloud services wizard, select the tenant from Azure Active Directory Tenants and select Update Application Settings and proceed with the prompts.

HTTPCMG03

Next part is to select the new certificate on the HTTPS bindings in IIS.

HTTPCMG04

Select the SMS Role SSL Certificate and click OK.

HTTPCMG05

One of the new cool features in the Technical Preview 1805 is the Connection analyzer. You can do this to check for any issues in your Cloud Management Gateway.

HTTPCMG06

Now previously my HTTPS bindings had no certificate selected. So when I tested the Azure AD Authentication with the CMG, I got the below error.

HTTPCMG07

Once I selected the certificate in the IIS bindings the tests worked fine.

HTTPCMG08

On a test Windows 10 1803 client which is joined to Azure Active Directory, I copied the SCCM client set up files and used the co-management command generated by the wizard (I did not enable co-management, I cancelled out of it after I got the set up switches) to install the client. I have added the /source switch to specify the source, and removed the /mp switch.

HTTPCMG09

The client has been installed on my Azure AD joined machine with my management point in HTTP and is communicating with the Cloud Management Gateway.

HTTPCMG10

The device ow shows up in the console and shows the current logged on user which is my Azure AD user.

HTTPCMG11