Wednesday, 13 March 2019

CMG Connection Analyzer Status Code 401

We were configuring a Cloud Management Gateway for one of our customers and, while running the CMG Connection Analyzer, we encountered a 401 error that we hadn't seen before. The error was for the last step "Testing the CMG channel for management point". 

 Failed to refresh MP location. Status code is '401' and status description is 'CMGService_Not_Allowed_Root'.
A possible reason for this failure is the CMG service failed to forward the message to the CMG connection point. CMG service detected client certificate coming with not allowed root certificate. Check trusted root certificate authorities on site properties for client computer communication.

The CMG had been added and was in a Ready state. So, what was wrong? It was obviously certificate related and pointed in the direction of a root certificate.

We had used a third party certificate to configure the CMG service (DigiCert). It turned out that we had to add the DigiCert Root certificate as a Trusted Root Certification Authority in the ConfigMgr site properties (it was included in the package we downloaded from DigiCert).


Then we ran the CMG Analyzer successfully.


I hope this helps anyone who encounters the same problem. 

Until next time......
Posted by at
Labels: , , ,

2 comments:

  1. Doug4 April 2019 at 12:14

    Hi Gerry,
    Good tip as we are about to implement this. Did you use a standard SSL cert from Digicert? Do you remember if a server platform was selected when creating that cert? Wasn't sure if that mattered. Thanks

    ReplyDelete
  2. Gerry Hampson6 April 2019 at 17:10

    Yes, I used a standard SSL cert with platform = Other

    ReplyDelete

Subscribe to: Post Comments (Atom)