Error 403 when Configuration Manager clients try to communicate with CMG

Van toepassing: System Center Configuration Manager (current branch - version 1902)System Center Configuration Manager (current branch - version 1810)System Center Configuration Manager (current branch - version 1806)

Symptoms


Microsoft System Center Configuration Manager clients can’t communicate together with the cloud management gateway (CMG). An error message that resembles one of the following is logged in the LocationServices.log file:

 

Error messages that resemble the following are logged in the SMS_Cloud_ProxyConnector.log file:

Cause


The CMG connection point requires a client authentication certificate to securely forward client requests to an HTTPS management point. If the client authentication certificate is missing, configured incorrectly, or invalid, status code 403 is returned.

Resolution


To fix this issue, generate a client authentication certificate for the CMG connection point.

Note In the certificate, computers must have a unique value in the Subject Name or Subject Alternative Name field.

More information


For better troubleshooting, do the following:

  • Check the Internet Information Services (IIS) logs on the management point for more information about the error.

    In the following sample log, the "403 7" response means that the client certificate can’t be found:

  • Enable verbose logging for SMS_CLOUD_PROXYCONNECTOR by setting the VerboseLogging registry value under HKLM\SOFTWARE\MICROSOFT\SMS\SMS_CLOUD_PROXYCONNECTOR to 1, and then restart the SMS_EXECUTIVE service.

    The following is an example of SMS_Cloud_ProxyConnector.log content. It indicates that there isn’t a valid client authentication certificate to establish communication between the CMG connection point and the management point.