![]() If the device has a valid PKI client authentication certificate, ccmsetup always prefers the certificate. If the device can't get either an Azure AD device or user token, ccmsetup doesn't continue. If the device token request fails, ccmsetup falls back to try requesting an Azure AD user token. The following entries are logged in ccmsetup.log on the client: Getting AAD (device) token with: ClientId = 0b7c8ab3-9ea1-4ffa-b2b9-8ffdd944bd8b, ResourceUrl = AccountId = On a Windows Azure AD domain-joined device, ccmsetup uses the Azure AD properties to request an Azure AD token calling the ADALOperation provider. If the root CA certificate revocation list (CRL) isn't published on internet, add the /nocrlcheck parameter in the ccmsetup command line. If you use PKI, when the root CA isn't published on the internet, add the root CA certificate to the device's root CAs store. The root certificate authority (CA) certificate for the CMG server authentication certificate needs to be available on the client for the chain validation. SMS CCM 5.0: Host=, Path=/CCM_Proxy_ServerAuth/AADAuthInfo?TenantID=9aaf466a-3f40-4468-b3cd-f0010f21f05a, Port=443, Protocol=https, CcmTokenAuth=0, Flags=0x1304, Options=0xe0ĭuring ccmsetup, the device has to validate the CMG server authentication certificate. The following entries are logged in ccmsetup.log of the client: Getting AAD info from CMG '' If you haven't onboarded the client's TenantID in Configuration Manager, the CMG doesn't give the required properties to ccmsetup to continue client installation. It uses the device's Azure AD TenantID as a reference. When you don't use Azure AD properties, ccmsetup requests the AADCLIENTAPPID and AADRESOURCEURI properties from the cloud management gateway (CMG). You can include these properties in the command line for internet ccmsetup, but they aren't required. In this workflow sample, you installed the Configuration Manager client on a Windows device over the internet with the following ccmsetup command-line properties:ĬCMHOSTNAME="/CCM_Proxy_MutualAuth/72186325152220500" SMSSITECODE="MEM"Ĭlients installed from internet need specific command-line properties to use Azure AD authentication. Without a token, the client can't use the Configuration Manager security token service (CCM_STS) communication channel for Azure AD authentication with Configuration Manager site systems. If the certificate isn't found, the Configuration Manager client can't request Azure AD tokens. Windows clients get a workplace join (WPJ) certificate when they join an Azure AD tenant.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |