SCCM Tenant Attach Background Process Walkthrough via Logs

0
SCCM Tenant Attach Background Process

Let’s understand the ConfigMgr Tenant Attach Background Process Walkthrough via Log files. You can initiate many client actions from the Intune portal without connecting to the ConfigMgr console.

In this post, I will be taking an example of a CMPivot query to understand the background process using SCCM logs. So, I’m initiating a CMPivot query from the admin center (Intune) portal.

Related postFix ConfigMgr Tenant Attach Error 401 403 | Missing Config| SCCM

Introduction

Let’s understand how SCCM/ConfigMgr authenticates the user who initiated the task from the cloud console (Intune portal). Find out answers for the following queries: Do we have the tenant ID and all the other details stored in ConfigMgr log files? Or Can we see the CMPivot query details in the log files etc…?

  • CMPivot query against the resource highlighted below:
    • Name – Prod-Win20
    • Resource ID – 16777219
SCCM Tenant Attach Background Process Walkthrough via Logs - ConfigMgr
SCCM Tenant Attach Background Process Walkthrough via Logs – ConfigMgr
  • How to initiate a CMPivot query from the Intune portal?
    • Once initiated, check out the logs below to understand the background process:
    • Click on the Run button.
Tenant Attach CMPivot Query - SCCM Tenant Attach Background Process Walkthrough via Logs - ConfigMgr
SCCM Tenant Attach Background Process Walkthrough via Logs – ConfigMgr

Process

There are two main log files (more details below) that you need to monitor to understand the process. I think Admin Service (Microsoft.ConfigurationManager.AdminService) is the main thread that handles all the key processes from the ConfigMgr server side.

The communication between the SCCM server and Cloud gateways are managed by the thread called “SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker“.

CMGatewayNotificationWorker.log

Let’s check and understand the background processes that are running at the SCCM server and cloud side using CMGatewayNotificationWorker.log. All the coordinated activities between Intune and ConfigMgr are recorded in this log (I think). If you don’t agree with this statement, let me know in the comments section.

When you initiate a CMPivot or any other Tenant attach operations (like Run Script, CMPivot, etc..), the SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker component gets the details of the activity from the cloud services like Intune.

Creating a web request using US gateway of ConfigMgr for the CMPivot query initiated from the Intune portal (a.k.a admin center). Make a note of the resource ID of the device 16777219 to identify the workflow.

Sending AdminService request with URL: https://cmmemcm.memcm.com/AdminService/v1.0/Device(16777219)/AdminService.RunCMPivot
Using direct connection to URL 'https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification
Authenticating with web service at: https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification
Getting web response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification for new notifications…
Creating web request to: https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification Method: GET Activity ID: b6c22581-5257-4769-af90-aa3fcabaa84a
SCCM Tenant Attach Background Process Walkthrough via Logs - ConfigMgr
SCCM Tenant Attach Background Process Walkthrough via Logs – ConfigMgr

Now, let’s check the completion of the process on ConfigMgr gateway in the cloud using the log file (CMGatewayNotificationWorker.log) from your SCCM server.

I can see a warning from CM Gateway Notification worker and an error 404 (0x80131509) stating that “The remote server returned an error: (404) Not Found”. However, I don’t see any blocking issue with this warning you can just ignore it for now.

[Warning][CMGatewayNotificationWorker][0][System.Net.WebException][0x80131509]
The remote server returned an error: (404) Not Found. at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.ConfigurationManager.CloudBase.ODataServiceCaller.HttpCallerWithCustomCertValidation.d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.ConfigurationManager.ServiceConnector.AdminServiceCaller.d__9.MoveNext()
SCCM Tenant Attach Background Process Walkthrough via Logs - ConfigMgr
SCCM Tenant Attach Background Process Walkthrough via Logs – ConfigMgr

You can get the tenant to attach an activity ID, Status code, Result ID, etc.. from the following log file CMGatewayNotificationWorker.log.

In my experience, activity ID helps Microsoft support engineers to troubleshoot things from the cloud side of things. I don’t think normal SCCM admin will have access to check the CM gateway related logs related to tenant attach.

  • Notification Results are shared with Gateway servers.
  • Activity ID details are provided.
  • Status Code 200 (OK) – This means the operation is completed successfully.
[Patched https://us.gateway.configmgr.manage.microsoft.com/api/gateway/NotificationResult(TenantId=d61fa037XXXX29df,NotificationId=145d2046-d675-4458-b239-05d39d31e0d3) for notification result with ID: 145d2046-d675-4458-b239-05d39d31e0d3]
[GetNotifications] Response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification is: 200 (OK)
Response status code: 200 (OK) Activity ID: a7e9d4e1-9e36-48c6-8de4-9f158ad19b52

AdminService.log

Admin Service (Microsoft.ConfigurationManager.AdminService) is the main thread that handles all the key processes from the ConfigMgr server side.

Let’s check the AdminService.log to initiate the request using the CMPivot query from the Intune portal. This log snippet gives more details about the remote port it’s using and the remote IP address.

Also tells you more details about the action initiated from the cloud side (admin center/Intune portal). In this scenario, it was a CMPivot query against the resource with ID 16777219.

This adminservice.log provides more details about the authentication, CMPivot query, and Permission details of admin user.

Processing incoming request for resource https://cmmemcm.memcm.com/AdminService/v1.0/Device(16777219)/AdminService.RunCMPivot
Context: RemoteIpAddress= fe80::7011:3441:e910:1b04%3
Context: RemotePort=65076
SCCM Tenant Attach Background Process Walkthrough via Logs - ConfigMgr
SCCM Tenant Attach Background Process Walkthrough via Logs – ConfigMgr

You can see the AdminService.log confirm whether the CMPivot or any other operations through ConfigMgr Tenant attach channel is working fine. Also, the log snippet helps you to troubleshoot tenant attach operations related issues.

  • Successfully validating the request
  • Successfully authenticating user details and SCCM access to the user.
  • CMPivot query details are also stored in AdminService.log.
  • Job ID details for the CMPivot query.
  • Response code = 200 successfully completed the operation.
Received request from Service Connection Point
Successfully validated request from Service Connection Point
Successfully validated user [e9c9edXXXXXe66ca1] from tenant [d61fa03XXXXX529df]
Provider authentication level and exception list up to date
User MEMCM\anoop is allowed because it is validated with current authentication level Default
Get instance of Device with key '16777219'
User MEMCM\anoop has permission to run CMPivot on device 16777219
Input Query: QuickFixEngineering | where InstalledOn >= ago(220d)
User MEMCM\anoop successfully created a job to deploy a CMPivot script to device 16777219 (PROD-WIN20). Job ID is 16777275
Completing request with response code [200] reason [OK]
SCCM Tenant Attach Background Process Walkthrough via Logs - ConfigMgr
SCCM Tenant Attach Background Process Walkthrough via Logs – ConfigMgr

Resources

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.