Some clients stopped talking to CMG
Question
Hi Team,
we have seen a strange issue where some of our clients stopped communicating with CMG. Earlier they communicated but all of a sudden some clients are becoming inactive.
below is the error seen in locationservice.log
Failed to verify Certificate with error 0x80090006.
Failed to refresh trusted key info with error ‘0x80004005’.
Failed to verify message. Could not retrieve certificate from MPCERT.
MPCERT requests are throttled for 00:04:58
LSIsSiteCompatible : Domain joined client is on Internet. Unable to check compatibiliy of Site <XXX>
Please guide how i can resolve this issue.
Answers ( 9 )
It seems like authentication issue in most of the cases
Are you using pki certificate ?
Are you using hybrid azure ad join devices?
Which version of SCCM ?
All those clients are latest version of ConfigMgr?
Hi Anoop,
we have enabled enhanced HTTP as well as enabled option to use PKI cert if available.(Root CA is defined)
we have SCCM CB 1910 and client is up to date. Device is hybrid azure AD joined.
strange thing is that device was working earlier, now all of a sudden this issue.
Can you give some more background on this issue? Like how it is configured and were there any changes later? Communication is failing from all machines or a certain set of machines?
Hi Rajul,
We have four primary sites. CMG was configured but was not working as expected.one of the primary site even didn’t have connection point. During this situation of covid we fixed that. Increased vms in azure also. CMG is configured and devices have required root CA. Problem is coming on some devices. Devices are part of hybrid AD too.
Is the device connected using PKI infra or Azure AD token? If PKI, how is the PKI infra setup looking like?
For Example, do you have the complete certificate chain uploaded or missing any intermediate ca thumbprint etc
Hi Rajul,
in clientidmanagerstartup log i could see renewal registration is giving error.
RegTask: Failed to refresh site code. Error: 0x8000ffff
i could see in some other machine client is registered using certificate. can not see any authentication using AAD.
in client property certificate is mentioned as PKI.
Please let me know if there is any other way to know client is connected using PKI infra or azure AD token.
we have a Root CA and same has been configured in CMG.
Check Clientidmanager log for the certificate used and verify that with the thumprint of the certificate to identify whether the right certificate is used or not. There are chances that a wrong certificate is being used for workstations.
Is there any similarity between the two issues
No anoop, in that thread devices don’t have cmg policy. For this thread devices have policy and communicated earlier over the Internet.