Overview
- In this video guide, we will review the new feature for Token-based authentication for cloud management gateway released in Configuration Manager current branch 2002 https://docs.microsoft.com/en-us/configmgr/core/plan-design/changes/whats-new-in-version-2002#token-based-authentication-for-cloud-management-gateway.
Topics in Video
- Please see youtube: https://youtu.be/e5QSv1Yna6M
Helpful Resources
- Token-based authentication for cloud management gateway – https://docs.microsoft.com/en-us/configmgr/core/plan-design/changes/whats-new-in-version-2002
- Register for token on the internal network – https://docs.microsoft.com/en-us/configmgr/core/clients/deploy/deploy-clients-cmg-token#register-on-the-internal-network
- Create a bulk registration token – https://docs.microsoft.com/en-us/configmgr/core/clients/deploy/deploy-clients-cmg-token#create-a-bulk-registration-token
- Bulk registration token tool usage – https://docs.microsoft.com/en-us/configmgr/core/clients/deploy/deploy-clients-cmg-token#bulk-registration-token-tool-usage
I'm Justin Chalfant! I'm the founder of
Very helpful video Justin, thanks.
I was wondering about approval for a workgroup machineS, but as always you answered right in the video.
:), yeah it seems the token is essentially the factor that allows the site to trust the client and auto-approve unless like a traditional workgroup ccmsetup installation.
This video shows for 1 computer registration in the cloud. How do I manage 1000+ computers in Cloud Environment
You could use PKI for existing devices or Intune to auto-enroll into ConfigMgr.
What’s the secret sauce? For some reason it’s not recognizing the new /regtoken and still trying with certificates. I see in your video CCMTOKENAUTH=1, currently mine says =0, does this mean anything in your brilliance?
Hmm, so your machine has a client authentication certificate as well?
I had a similar issue. Mine was caused by omitting required parameters from the ccmsetup.exe install string. I did not include the SMSMP parameter; turns out it’s required. SMSSITECODE, SMSMP, CCMHOSTNAME and /mp are all REQUIRED. Hope this helps.
Amazing stuff and at 11:59, what i understood is when client goes for registration it goes with client GUID and certificate thumbprint. Thumbprint is of self-signed certificate.
That’s correct. CMG will use PKI cert, Azure AD, or Bulk token for the auth/registration.
Hi, for info, there is an order.
We recently had issues with some our servers in the DMZ, most used the token, however we had a couple that already had certs on them using their FQDN which wouldn’t register in the console.
After speaking with MS support, they said, that the client install is coded to first use Azure AD, if that fails, then PKI, if that fails, then the token.
As it found a valid cert to use, it wouldn’t use the token. We had the wrong root cert in our CMG properties which is why the client didn’t register properly with PKI once that was replaced and the client restarted, it registered fine.
Sorry for the delay, did you figure this one out?
this was very informative, but i need info on client auth check. MS article after 90 days the token expires , what after that ? how the systems will connect back. how the registration happens if the system is in internet without LAN access
The token will auto-renew for clients that have access to the MP.
Can i use this single token to authorize multiple machines ?
You can as long as it’s not expired!
Great tutorial Justin! What if you have say 50 machines what is the suggested deployment method?
A script 🙂 not a great method if you don’t have an existing method to access the machine though.
Does conditional Access for Managed PCs feature need to be turned on for Token Based Authentication to work? Had our CMG configured and working in 1902, but upgraded to 2002 specifically for this feature. I am able to run the command line and it works installing the client, but it cannot authenticate to our site., getting,
RegTask:Failed to refresh site Code. Error:0x8000ffff in the ClientIDManagerStartup.log.
Any help would be great.
Awesome video as usual love your content!
Sorry for the delay, did you figure this one out?
Hello,
Did you guys managed to bootstrap a task sequence during the bulk token auth client installation?
For us it did not work 🙂 we are receiving”content location failed” messages.
I haven’t tried this scenario.
Hey Justin, We are using CMG in EHTTP mode and we dont have any MP running on https mode. all our MPs are in HTTP mode. i have ran token based command on internet based standalone system which is not in our domain joined but getting the below errors
error 1: CcmSetup failed with error code 0x87d00455
error 2: [CCMHTTP] AsyncCallback(): —————————————————————–
[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered ccmsetup
[CCMHTTP] : dwStatusInformationLength is 4
ccmsetup 10/6/2020 9:21:10 AM 3972 (0x0F84)
[CCMHTTP] : *lpvStatusInformation is 0x8
ccmsetup 10/6/2020 9:21:10 AM 3972 (0x0F84)
[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set
ccmsetup 10/6/2020 9:21:10 AM 3972 (0x0F84)
[CCMHTTP] AsyncCallback(): —————————————————————–
Failed in WinHttpSendRequest API, ErrorCode = 0x2f8f ccmsetup 10/6/2020
Error 3:
RetrieveTokenFromStsServerImpl failed with error 0x80072f8f
Failed to create SMS client object. Error 0x80040154
Failed to get CCM access token and client doesn’t have PKI issued cert to use SSL. Error 0x80070002
Any help on this
The client doesn’t seem to trust the SSL cert.
Hey justin,
I am having the same problem with clients not communicating with the CMG in Azure, apparently CMG does not trust the client token. Please help.