We got a call from a customer stating that they where having issues with their cloud management gateway not working. I did spend some time on figuring out what the issue was so I though I should share it with you all. The customer gave us the following infomation.
- The status in the ConfigMgr console states the CMG is ready and good.
- The connection analyzer does clearly states that something was wrong.
- The SmsAdminUI.log did not really give us much to go on other than go check in Azure Portal.
Finding the issue
Logging in to the Azure portal, opening up the Cloud services (classic) — (yes, CMG is running on a classic service in Azure), I started looking around. The operation log and activity log did not give me much, but when I look at certificates I found that the public certificate used for server authentication was expired.
I asked the customer for a new certificate, and they had one ready (*.domain.com) that I could use to update the cert. So I tried to update the cert from within the ConfigMgr console (properties on the CMG service), but I got an error that the certificate thumbprint was not existing in Azure. It turns out the new cert I got from the customer was not a renewal of their expired cert, but a brand new one. That means it has a different thumbprint, hence I can’t just updated it from the ConfigMgr console.
I then went back to the Azure Portal and uploaded the certificate directly on the cloud service it self.
I then went back into the ConfigMgr console and retried the certificate update from properties on the cloud management gateway.
And surely enough this now succeeds. I went back into the Azure Portal and verified that my cert was still looking good and deleted the expired cert at the same time. Now it was time to rerun the Connection Analyzer on the CMG to verify that all was working OK.
All looking good now.
CongfigMgr console does not tell us or alert us on expiry of the public certificate for server authentication on the CMG service. I recommend you look into Azure Automation/Azure Monitor to be able to monitor this certificate, or have a clear process and procedure on where the certificate is used. The certificate authority will send massive amounts of email in good time when a cert is about to expire.
Also I recommend that you renew the cert you have instead of creating a brand new one. That will allow you to simply update the cert from within ConfigMgr.
The good thing about this story is that when you have the good certificate in place clients will immediately start communication again. Only a few minutes after I was done I had several clients already online via CMG.