Share via

Authentication failure error for cloud management gateway

Rakesh Kumar 466 Reputation points
2022-02-09T08:20:48.37+00:00

Hi All,

i'm facing issue with SCCM client that they are unable to connect with cloud management gateway through Zscaler VPN. recently we did upgrade the Zscaler client version 3.6 which support configuration for CMG. however we are getting below error. Is there any help can be offered to solve this issue.

SCCM configuration -
SCCM 2107
Manually server and client app configuration in Azure
Client authentication using Configuration Manager site-issued tokens
CMG thru Cloud service (classic)
Clients are configured to talk to CMG if they are on VPN connection. this configuration done on Zscaler

ccmmessaging.log -
[CCMHTTP] ERROR: URL=https://CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057xxxx379xxxxx/ccm_system_windowsauth/request, Port=443, Options=1472, Code=0, Text=CCM_E_NO_TOKEN_AUTH CcmMessaging 08-02-2022 9.41.45 AM 23900 (0x5D5C)
[CCMHTTP] ERROR INFO: StatusCode=401 StatusText=CMGConnector_Unauthorized CcmMessaging 08-02-2022 9.41.45 AM 23900 (0x5D5C)
Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:AEF9xxxx-93FC-4xx0-AE7F-xxxxEDC73FEA";
DateTime = "20220208094145.629000+000";
HostName = "CMG.CLOUDAPP.NET";
HRESULT = "0x87d00455";
ProcessID = 8596;
StatusCode = 401;
ThreadID = 23900;
};
CcmMessaging 08-02-2022 9.41.45 AM 23900 (0x5D5C)
Successfully queued event on HTTP/HTTPS failure for server 'CMG.CLOUDAPP.NET'. CcmMessaging 08-02-2022 9.41.45 AM 23900 (0x5D5C)
Post using domain\user security context failed due to Integrated Windows Authentication failure CcmMessaging 08-02-2022 9.41.45 AM 23900 (0x5D5C)
Post to https://CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/720xxxx40379xxxxx/ccm_system_windowsauth/request failed with 0x80070005. CcmMessaging 08-02-2022 9.41.45 AM 23900 (0x5D5C)
Supplied sender token is null. Using GetUserTokenFromSid to find sender's token. CcmMessaging 08-02-2022 9.43.45 AM 23900 (0x5D5C)
IsSslClientAuthEnabled - Determining provisioning mode state failed with 80070005. Defaulting to state of 1472. CcmMessaging 08-02-2022 9.43.45 AM 23900 (0x5D5C)
AAD Auth is not ready for user 'S-1-5-xx1-xxxxxxx-xxxxxxxx-xxxxxxx43-27318' CcmMessaging 08-02-2022 9.43.45 AM 23900 (0x5D5C)
AAD Auth is not ready for user 'S-1-5-xx1-xxxxxxx-xxxxxxxx-xxxxxxx43-27318' CcmMessaging 08-02-2022 9.43.46 AM 23900 (0x5D5C)
Client doesn't have PKI issued cert and cannot get CCM access token. Error 0x8000ffff CcmMessaging 08-02-2022 9.43.46 AM 23900 (0x5D5C)

ClientLocation.log -
Unable to retrieve AD forest + domain membership. Error 0x8007054b ClientLocation 07-02-2022 8.35.13 AM 8884 (0x22B4)
Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7 ClientLocation 07-02-2022 8.35.15 AM 8884 (0x22B4)
[CCMHTTP] ERROR: URL=http://sccm01/SMS_MP/.sms_aut?SITESIGNCERT, Port=80, Options=1472, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED ClientLocation 07-02-2022 8.35.15 AM 8884 (0x22B4)
[CCMHTTP] ERROR INFO: StatusCode=<unknown> StatusText= ClientLocation 07-02-2022 8.35.15 AM 8884 (0x22B4)
Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:AExxxx26-93FC-4xxx0-AE7F-88CCExxxxxxx";
DateTime = "20220207083515.576000+000";
HostName = "sccm01";
HRESULT = "0x80072ee7";
ProcessID = 8596;
StatusCode = 0;
ThreadID = 8884;
};
ClientLocation 07-02-2022 8.35.15 AM 8884 (0x22B4)
Successfully queued event on HTTP/HTTPS failure for server 'sccm01'. ClientLocation 07-02-2022 8.35.15 AM 8884 (0x22B4)
Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7 ClientLocation 07-02-2022 8.35.15 AM 8884 (0x22B4)

Microsoft Security | Intune | Configuration Manager | Other

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.