One of the nice new features in the SCCM Technical Preview 1805 is the CMG Connection analyzer to help you determine issues with your Cloud Management Gateway. At the moment it allows you to troubleshoot as a user authenticating through Azure AD, and a user authenticating with a client authentication certificate.
This post will show the different checks that the Connection analyzer performs, and the types of errors it displays when something has gone wrong. I will include a few scenario’s of me breaking my CMG and what the Connetion analyzer shows.
You will notice in the CMG section there is a new button called Connection analyzer.
You can see the different authentication options you get. First I will test logging in as an Azure AD user. You can see that the first two steps involve checking that the service is running and testing connecting to it.
Next we can see that its checking the configuration versions to make sure it matches between on-prem and Azure.
Here in my lab you can see that the next step checks the CMG connection point and confirms that it is connected.
I have set my management point to allow CMG traffic, the test confirms this.
The Azure AD user can authenticate against my management point without any issues.
Now if I was to break the certificate on my management point IIS bindings and run the test again, you can see that the test fails and reports some 500 status code errors and gives possible reasons.
Next up is testing using a client certificate. You have two options to load the certificate. You can either export the client authentication certificate from a machine with the private key, or you can connect to the Certificate Store.
In this Tech Preview when you try to connect to the Certificate Store, it will try to connect to the User Store and then report that there are no certificates available. So for this post I have chosen to export the client authentication certificate to run through the tests.
You can see below that it has the same steps as testing authenticating as an Azure AD user.
I have broken my Cloud Management Gateway Point role in my lab and run through the tests again to see what it fails on. You can see that it fails as it can’t connect to the CMG Service.
The same as below.
Another interesting scenario is if I use an incorrect Client trusted root certificate that is uploaded to the CMG service. You can see that it fails below with the 403 forbidden status code.
And again, you can see that it says that the certificate is not trusted by the CMG.
That is all the tests I have run so far. So far it is a good start. It seems quite a few customers have issues getting their CMG up and running, I think it is mostly to do with certificates. Hopefully in the future the descriptions can be improved with more details as to what could be wrong in the Connection analyzer to help customers troubleshoot more. The Cloud Management Gateway is an awesome feature.