Comments on: Deep Dive Token-Based Authentication for Cloud Management Gateway in Configuration Manager

By: Adalberto Inoa Peguero

Adalberto Inoa Peguero — Thu, 19 May 2022 15:02:34 +0000

In reply to Justin Chalfant. Hey justin, I am having the same problem with clients not communicating with the CMG in Azure, apparently CMG does not trust the client token. Please help.

By: Justin Chalfant

Justin Chalfant — Sun, 08 Aug 2021 17:01:28 +0000

In reply to Scott M. Sorry for the delay, did you figure this one out?

By: Justin Chalfant

Justin Chalfant — Sun, 08 Aug 2021 17:01:08 +0000

In reply to Alzoo. Sorry for the delay, did you figure this one out?

By: Justin Chalfant

Justin Chalfant — Sun, 25 Apr 2021 16:00:02 +0000

In reply to Mohan Ravilla. The client doesn't seem to trust the SSL cert.

By: Justin Chalfant

Justin Chalfant — Wed, 14 Oct 2020 23:41:10 +0000

In reply to RM. A script :) not a great method if you don't have an existing method to access the machine though.

By: Justin Chalfant

Justin Chalfant — Wed, 14 Oct 2020 23:37:43 +0000

In reply to Andrei Negru. I haven't tried this scenario.

By: Mohan Ravilla

Mohan Ravilla — Tue, 06 Oct 2020 14:39:43 +0000

Hey Justin, We are using CMG in EHTTP mode and we dont have any MP running on https mode. all our MPs are in HTTP mode. i have ran token based command on internet based standalone system which is not in our domain joined but getting the below errors
error 1: CcmSetup failed with error code 0x87d00455
error 2: [CCMHTTP] AsyncCallback(): —————————————————————–
[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered ccmsetup
[CCMHTTP] : dwStatusInformationLength is 4
ccmsetup 10/6/2020 9:21:10 AM 3972 (0x0F84)
[CCMHTTP] : *lpvStatusInformation is 0x8
ccmsetup 10/6/2020 9:21:10 AM 3972 (0x0F84)
[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set
ccmsetup 10/6/2020 9:21:10 AM 3972 (0x0F84)
[CCMHTTP] AsyncCallback(): —————————————————————–
Failed in WinHttpSendRequest API, ErrorCode = 0x2f8f ccmsetup 10/6/2020

Error 3:
RetrieveTokenFromStsServerImpl failed with error 0x80072f8f
Failed to create SMS client object. Error 0x80040154
Failed to get CCM access token and client doesn’t have PKI issued cert to use SSL. Error 0x80070002

Any help on this

By: Alzoo

Alzoo — Thu, 10 Sep 2020 01:01:19 +0000

In reply to Justin Chalfant.

Hi, for info, there is an order.

We recently had issues with some our servers in the DMZ, most used the token, however we had a couple that already had certs on them using their FQDN which wouldn’t register in the console.

After speaking with MS support, they said, that the client install is coded to first use Azure AD, if that fails, then PKI, if that fails, then the token.

As it found a valid cert to use, it wouldn’t use the token. We had the wrong root cert in our CMG properties which is why the client didn’t register properly with PKI once that was replaced and the client restarted, it registered fine.

By: Andrei Negru

Andrei Negru — Thu, 27 Aug 2020 12:03:26 +0000

Hello,
Did you guys managed to bootstrap a task sequence during the bulk token auth client installation?
For us it did not work 🙂 we are receiving”content location failed” messages.

By: Scott M

Scott M — Thu, 23 Jul 2020 21:30:43 +0000

Does conditional Access for Managed PCs feature need to be turned on for Token Based Authentication to work? Had our CMG configured and working in 1902, but upgraded to 2002 specifically for this feature. I am able to run the command line and it works installing the client, but it cannot authenticate to our site., getting,

RegTask:Failed to refresh site Code. Error:0x8000ffff in the ClientIDManagerStartup.log.

Any help would be great.

Awesome video as usual love your content!

By: Mark Bowman

Mark Bowman — Mon, 20 Jul 2020 08:02:02 +0000

In reply to SCCM Guru. I had a similar issue. Mine was caused by omitting required parameters from the ccmsetup.exe install string. I did not include the SMSMP parameter; turns out it's required. SMSSITECODE, SMSMP, CCMHOSTNAME and /mp are all REQUIRED. Hope this helps.

By: RM

RM — Wed, 15 Jul 2020 22:48:23 +0000

Great tutorial Justin! What if you have say 50 machines what is the suggested deployment method?

By: Justin Chalfant

Justin Chalfant — Thu, 09 Jul 2020 18:28:13 +0000

In reply to Navneet Singh Ghura. That's correct. CMG will use PKI cert, Azure AD, or Bulk token for the auth/registration.

By: Justin Chalfant

Justin Chalfant — Thu, 09 Jul 2020 18:27:06 +0000

In reply to Nagayya. The token will auto-renew for clients that have access to the MP.

By: Justin Chalfant

Justin Chalfant — Thu, 09 Jul 2020 18:26:35 +0000

In reply to Nagayya. You can as long as it's not expired!

By: Nagayya

Nagayya — Tue, 23 Jun 2020 12:07:03 +0000

Can i use this single token to authorize multiple machines ?

By: Nagayya

Nagayya — Tue, 23 Jun 2020 12:05:26 +0000

this was very informative, but i need info on client auth check. MS article after 90 days the token expires , what after that ? how the systems will connect back. how the registration happens if the system is in internet without LAN access

By: Navneet Singh Ghura

Navneet Singh Ghura — Sat, 13 Jun 2020 17:52:53 +0000

Amazing stuff and at 11:59, what i understood is when client goes for registration it goes with client GUID and certificate thumbprint. Thumbprint is of self-signed certificate.

By: Justin Chalfant

Justin Chalfant — Wed, 27 May 2020 10:53:55 +0000

In reply to Sundaramoorthi Bose. You could use PKI for existing devices or Intune to auto-enroll into ConfigMgr.

By: Justin Chalfant

Justin Chalfant — Wed, 27 May 2020 10:51:00 +0000

In reply to SCCM Guru. Hmm, so your machine has a client authentication certificate as well?

By: SCCM Guru

SCCM Guru — Thu, 14 May 2020 18:36:13 +0000

What’s the secret sauce? For some reason it’s not recognizing the new /regtoken and still trying with certificates. I see in your video CCMTOKENAUTH=1, currently mine says =0, does this mean anything in your brilliance?

By: Sundaramoorthi Bose

Sundaramoorthi Bose — Sun, 10 May 2020 04:06:21 +0000

This video shows for 1 computer registration in the cloud. How do I manage 1000+ computers in Cloud Environment

By: Justin Chalfant

Justin Chalfant — Thu, 02 Apr 2020 13:48:00 +0000

In reply to Gary Cassidy. :), yeah it seems the token is essentially the factor that allows the site to trust the client and auto-approve unless like a traditional workgroup ccmsetup installation.

By: Gary Cassidy

Gary Cassidy — Thu, 02 Apr 2020 13:00:43 +0000

Very helpful video Justin, thanks.

I was wondering about approval for a workgroup machineS, but as always you answered right in the video.