Wednesday, 13 March 2019

CMG Connection Analyzer Status Code 401

We were configuring a Cloud Management Gateway for one of our customers and, while running the CMG Connection Analyzer, we encountered a 401 error that we hadn't seen before. The error was for the last step "Testing the CMG channel for management point". 

Failed to refresh MP location. Status code is '401' and status description is 'CMGService_Not_Allowed_Root'.
A possible reason for this failure is the CMG service failed to forward the message to the CMG connection point. CMG service detected client certificate coming with not allowed root certificate. Check trusted root certificate authorities on site properties for client computer communication.

The CMG had been added and was in a Ready state. So, what was wrong? It was obviously certificate related and pointed in the direction of a root certificate.

We had used a third party certificate to configure the CMG service (DigiCert). It turned out that we had to add the DigiCert Root certificate as a Trusted Root Certification Authority in the ConfigMgr site properties (it was included in the package we downloaded from DigiCert).

Then we ran the CMG Analyzer successfully.

I hope this helps anyone who encounters the same problem. 

Until next time......