In this post, let’s check how to fix SCCM Client CMG Communication Failure Error 0x87d0027e. Cloud Management Gateway (CMG) is the most talked-about feature these days as it became a full release feature from SCCM CB 1802 onwards.
If you are looking for the deployment steps, the CMG Client communication post is not the right post, and you can check the detailed tutorial by Anoop.
Related Post – How to Identify Devices Connected via SCCM CMG | ConfigMgr | Custom Report
SCCM CMG – Problem Description
While working on deploying a Cloud Management Gateway (CMG) for one of the organizations, I came across a client communication failure issue. I thought of putting it as a blog so that others can benefit from it and don’t have to go through the same pain we had.
We deployed Cloud Management Gateway (CMG) in Azure, which was successful, and then we tested the features on one of the client machines successfully.
When we moved on with the testing for a larger UAT group, the client communication failed for most of the laptops.
Troubleshooting – SCCM CMG Client Communication Failure
We started the troubleshooting via log files. I will explain how you can troubleshoot SCCM CMG Client communication Failure issues.
When you check the locationservices.log, it will show INF (Internet Facing) MP failed to communicate, and the MP switching happens between the INF MP and on-prem MP very frequently.
log snippet from locationservices.log (Domain name changed for security reasons)
[CCMHTTP] ERROR: URL=https://MYCMG.MYDOMAIN.COM/CCM_Proxy_MutualAuth/720575940XXXXXXXX/SMS_MP/.sms_aut?MPLIST2&PR1, Port=443, Options=448, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE LocationServices 6/21/2018 2:17:18 PM 11180 (0x2BAC) Raising event: instance of CCM_CcmHttp_Status { ClientID = “GUID:B704E758-91A8-479B-A629-747A66E4065B”; DateTime = “20180621121718.306000+000”; HostName = “MYCMG.MYDOMAIN.COM”; HRESULT = “0x87d0027e“; ProcessID = 5448; StatusCode = 401; ThreadID = 11180; }; LocationServices 6/21/2018 2:17:18 PM 11180 (0x2BAC) Successfully queued event on HTTP/HTTPS failure for server ‘MYCMG.MYDOMAIN.COM’. LocationServices 6/21/2018 2:17:18 PM 11180 (0x2BAC)
A similar error can be seen in the CCMMessaging.log.
Successfully queued event on HTTP/HTTPS failure for server ‘MYCMG.MYDOMAIN.COM’. CcmMessaging 6/21/2018 1:50:15 PM 7348 (0x1CB4) Post to https://MYCMG.MYDOMAIN.COM/CCM_Proxy_MutualAuth/720575940XXXXXXXX/ccm_system/request failed with 0x87d00231. CcmMessaging 6/21/2018 1:50:15 PM 7348 (0x1CB4) [CCMHTTP] ERROR: URL=https://MYCMG.MYDOMAIN.COM/CCM_Proxy_MutualAuth/720575940XXXXXXXX/ccm_system/request, Port=443, Options=448, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE CcmMessaging 6/21/2018 2:00:26 PM 9468 (0x24FC) Raising event: instance of CCM_CcmHttp_Status { ClientID = “GUID:B704E758-91A8-479B-A629-747A66E4065B”; DateTime = “20180621120026.920000+000”; HostName = “MYCMG.MYDOMAIN.COM”; HRESULT = “0x87d0027e“; ProcessID = 5448; StatusCode = 401; ThreadID = 9468; }; CcmMessaging 6/21/2018 2:00:26 PM 9468 (0x24FC)
Deep Dive into Firewall, PKI, etc. – CMG Client Communication Failure
The first thing we checked here is the port 443 connectivity from this test machine to the CMG public IP using the port query UI tool. Port connectivity was fine, and it was listening for port 443 without any issue.
After hours of troubleshooting, we identified that the PKI infrastructure has multiple CAs. Below Picture will give an overview of how the PKI infrastructure is.
In this scenario, the certificates on the server and a few devices were issued by Issuing CA 1. Hence, we have uploaded the RootCA, Intermediate CA, and Issuing CA 1 to Azure while installing CMG.
So whichever machines got a certificate enrolled from Issuing CA 1, the client communication was a success. For others, the client communication failed because they were missing the Certificate Chain.
Solution – CMG Client Communication Failure
So to rectify the problem, we have to upload all the certs so that their certificate chain is not broken.
For Example, In our case here below, is the list of certs that should be provided to Azure while installing the CMG.
- Root CA
- Intermediate CA
- Issuing CA 1
- Issuing CA 2
- Issuing CA 3
- Issuing CA 4
SCCM CMG – Is there a limitation in Uploading Client Certs?
Note: Currently there is a restriction to upload only 6 (2 root CA and 4 Intermediate CA)certs while deploying a CMG. This may be changed in future releases.
how did u determine the number of root/intermediate/issuing CAs?
You can get this information from certificate properties on “Certification Path” tab you can have this details.
Good morning Rajul OS, I have this problem on my server but only the intranet communication was not implemented in the PKI Certificates. What should I check in that case. I hope you can support me please.
I’m getting a similar issue, but we don’t use internal certs, just public certs and we use Enhanced HTTP.
Any ideas?
Hi John, we are in the same rabbit hole ` 🙁