CMG Issue

CMG Issue

Been having an issue with Cloud Management Gateway for a number of weeks, and currently awaiting some input from Level 3 Escalation Engineer from MS!

Basically, the CMG is setup according to all standard instructions from MS. It’s been setup multiple times, including just around an hour ago today!

We are NOT using HTTPS or PKI, all site systems are in HTTP mode.

All Windows 10 machines are enrolled in AAD and OnPrem, and we need to use Azure AD Authentication through the CMG.

We are on ConfigMgr 1810.

We are using a Digicert Wildcard Certificate to create the CMG.

Once the CMG is up and running, I try and run a test using the connection analyzer. This fails on the last test:

However, if I choose to run the test using the Client certificate instead, and use the Digicert Wildcard certificate which I used to set the CMG up, then all tests are successful:

Software Center will not open on client machine:

CCM_STS.log from Primary Server:

ProcessRequest - Start CCM_STS 11/01/2019 15:56:01 62 (0x003E)
Return code: 401, Description: No bearer token found in request, No bearer token found in request CCM_STS 11/01/2019 15:56:01 62 (0x003E)
Elapsed time: 0 ms CCM_STS 11/01/2019 15:56:01 62 (0x003E)
ProcessRequest - Start CCM_STS 11/01/2019 15:56:01 57 (0x0039)
Validated AAD token. TokenType: Device TenantId: 4ae48b41-0137-4599-8661-fc641fe77bea UserId: 00000000-0000-0000-0000-000000000000 DeviceId: 3645d405-68e1-44d1-88dd-a97076ccbc36 OnPrem_UserSid: OnPrem_DeviceSid: CCM_STS 11/01/2019 15:56:01 57 (0x0039)
TokenType is Device, use UDA for now CCM_STS 11/01/2019 15:56:01 57 (0x0039)
No SCCM user and device information found. Change to ServicePartner type. CCM_STS 11/01/2019 15:56:01 57 (0x0039)
Created SCCM token CCM_STS 11/01/2019 15:56:01 57 (0x0039)
ProcessRequest - Exception: System.InvalidOperationException: IDX10614: AsymmetricSecurityKey.GetSignatureFormater( 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' ) threw an exception.
Key: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'
SignatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', check to make sure the SignatureAlgorithm is supported.
Exception:'System.Security.Cryptography.CryptographicException: Keyset does not exist

at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)
at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures)'.
If you only need to verify signatures the parameter 'willBeUseForSigning' should be false if the private key is not be available. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist

at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)
at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures)
--- End of inner exception stack trace ---
at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures)
at System.IdentityModel.Tokens.SignatureProviderFactory.CreateProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.CreateSignature(String inputString, SecurityKey key, String algorithm, SignatureProvider signatureProvider)
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.CreateToken(String issuer, String audience, ClaimsIdentity subject, Nullable`1 notBefore, Nullable`1 expires, SigningCredentials signingCredentials, SignatureProvider signatureProvider)
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.CreateToken(SecurityTokenDescriptor tokenDescriptor)
at Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenIssuer.IssueToken(IToken token)
at Microsoft.ConfigurationManager.MPSecurityTokenService.SecurityTokenService.ProcessRequest(HttpContext context) CCM_STS 11/01/2019 15:56:01 57 (0x0039)
Elapsed time: 7 ms CCM_STS 11/01/2019 15:56:01 57 (0x0039)
ProcessRequest - Start CCM_STS 11/01/2019 15:56:01 12 (0x000C)
Return code: 401, Description: No bearer token found in request, No bearer token found in request CCM_STS 11/01/2019 15:56:01 12 (0x000C)
Elapsed time: 0 ms CCM_STS 11/01/2019 15:56:01 12 (0x000C)
ProcessRequest - Start CCM_STS 11/01/2019 15:56:01 87 (0x0057)
Validated AAD token. TokenType: Device TenantId: 4ae48b41-0137-4599-8661-fc641fe77bea UserId: 00000000-0000-0000-0000-000000000000 DeviceId: bae66c7c-070f-405c-94a8-ec74503b7a68 OnPrem_UserSid: OnPrem_DeviceSid: CCM_STS 11/01/2019 15:56:01 87 (0x0057)
TokenType is Device, use UDA for now CCM_STS 11/01/2019 15:56:01 87 (0x0057)
No SCCM user and device information found. Change to ServicePartner type. CCM_STS 11/01/2019 15:56:01 87 (0x0057)
Created SCCM token CCM_STS 11/01/2019 15:56:01 87 (0x0057)
ProcessRequest - Exception: System.InvalidOperationException: IDX10614: AsymmetricSecurityKey.GetSignatureFormater( 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' ) threw an exception.
Key: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'
SignatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', check to make sure the SignatureAlgorithm is supported.
Exception:'System.Security.Cryptography.CryptographicException: Keyset does not exist

at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)
at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures)'.
If you only need to verify signatures the parameter 'willBeUseForSigning' should be false if the private key is not be available. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist

at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)
at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures)
--- End of inner exception stack trace ---
at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures)
at System.IdentityModel.Tokens.SignatureProviderFactory.CreateProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.CreateSignature(String inputString, SecurityKey key, String algorithm, SignatureProvider signatureProvider)
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.CreateToken(String issuer, String audience, ClaimsIdentity subject, Nullable`1 notBefore, Nullable`1 expires, SigningCredentials signingCredentials, SignatureProvider signatureProvider)
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.CreateToken(SecurityTokenDescriptor tokenDescriptor)
at Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenIssuer.IssueToken(IToken token)
at Microsoft.ConfigurationManager.MPSecurityTokenService.SecurityTokenService.ProcessRequest(HttpContext context) CCM_STS 11/01/2019 15:56:01 87 (0x0057)
Elapsed time: 7 ms CCM_STS 11/01/2019 15:56:01 87 (0x0057)

MP_Token.log from Primary server:

CreateReplyDocument(docReply), HRESULT=80090016 (tasks.cpp,1326) MP_TokenManager 11/01/2019 15:56:04 12644 (0x3164)
SendReplyToClient(pService), HRESULT=80090016 (tasks.cpp,1287) MP_TokenManager 11/01/2019 15:56:04 12644 (0x3164)
Failed to validate request or send reply to client [GUID:48b74005-b044-469d-89a9-c45faf29b31f]. Error 0x80090016 MP_TokenManager 11/01/2019 15:56:04 12644 (0x3164)
hr, HRESULT=80090016 (tokenmgr.cpp,62) MP_TokenManager 11/01/2019 15:56:04 12644 (0x3164)
CTokenManagerHandler::HandleMessage(): ExecuteTask() failed MP_TokenManager 11/01/2019 15:56:04 12644 (0x3164)
MP TM: Message discarded MP_TokenManager 11/01/2019 15:56:04 12644 (0x3164)
Token signing cert thumbprint '0c8762f83ad3d814d75de852bc1164cb4d8d1172' MP_TokenManager 11/01/2019 15:56:22 8108 (0x1FAC)
::CryptAcquireCertificatePrivateKey( pCertContext, 0x00000002 | 0x00010000, 0, &hCryptProv, &dwKeySpec, &bReleaseContext), HRESULT=80090016 (..\ccmgencert.cpp,4247) MP_TokenManager 11/01/2019 15:56:22 8108 (0x1FAC)
CCMGetSigningHashAlgorithm(pMPSigningCertContext, sHashAlg, dwHashAlgId), HRESULT=80090016 (tasks.cpp,971) MP_TokenManager 11/01/2019 15:56:22 8108 (0x1FAC)
Failed to get hash algorithm for the STS signing certificate. Return code: 0x80090016 MP_TokenManager 11/01/2019 15:56:22 8108 (0x1FAC)
CreateDPAuthToken( sDPServer, sContentID, sSMSID, uVersion, sDPAuthToken, ctEndTime ), HRESULT=80090016 (tasks.cpp,1625) MP_TokenManager 11/01/2019 15:56:22 8108 (0x1FAC)
CHandleTokenRequest::CreateReplyDocument failed with error code 0x80090016. MP_TokenManager 11/01/2019 15:56:22 8108 (0x1FAC)
CreateReplyDocument(docReply), HRESULT=80090016 (tasks.cpp,1326) MP_TokenManager 11/01/2019 15:56:22 8108 (0x1FAC)
SendReplyToClient(pService), HRESULT=80090016 (tasks.cpp,1287) MP_TokenManager 11/01/2019 15:56:22 8108 (0x1FAC)
Failed to validate request or send reply to client [GUID:39ac45bb-9aeb-4a07-b830-9690cdc0a325]. Error 0x80090016 MP_TokenManager 11/01/2019 15:56:22 8108 (0x1FAC)
hr, HRESULT=80090016 (tokenmgr.cpp,62) MP_TokenManager 11/01/2019 15:56:22 8108 (0x1FAC)
CTokenManagerHandler::HandleMessage(): ExecuteTask() failed MP_TokenManager 11/01/2019 15:56:22 8108 (0x1FAC)
MP TM: Message discarded MP_TokenManager 11/01/2019 15:56:22 8108 (0x1FAC)
Token signing cert thumbprint '0c8762f83ad3d814d75de852bc1164cb4d8d1172' MP_TokenManager 11/01/2019 15:57:32 12052 (0x2F14)
::CryptAcquireCertificatePrivateKey( pCertContext, 0x00000002 | 0x00010000, 0, &hCryptProv, &dwKeySpec, &bReleaseContext), HRESULT=80090016 (..\ccmgencert.cpp,4247) MP_TokenManager 11/01/2019 15:57:32 12052 (0x2F14)
CCMGetSigningHashAlgorithm(pMPSigningCertContext, sHashAlg, dwHashAlgId), HRESULT=80090016 (tasks.cpp,971) MP_TokenManager 11/01/2019 15:57:32 12052 (0x2F14)
Failed to get hash algorithm for the STS signing certificate. Return code: 0x80090016 MP_TokenManager 11/01/2019 15:57:32 12052 (0x2F14)
CreateDPAuthToken( sDPServer, sContentID, sSMSID, uVersion, sDPAuthToken, ctEndTime ), HRESULT=80090016 (tasks.cpp,1625) MP_TokenManager 11/01/2019 15:57:32 12052 (0x2F14)
CHandleTokenRequest::CreateReplyDocument failed with error code 0x80090016. MP_TokenManager 11/01/2019 15:57:32 12052 (0x2F14)
CreateReplyDocument(docReply), HRESULT=80090016 (tasks.cpp,1326) MP_TokenManager 11/01/2019 15:57:32 12052 (0x2F14)
SendReplyToClient(pService), HRESULT=80090016 (tasks.cpp,1287) MP_TokenManager 11/01/2019 15:57:32 12052 (0x2F14)
Failed to validate request or send reply to client [GUID:413c7836-1341-4b44-a84f-4af5020f981a]. Error 0x80090016 MP_TokenManager 11/01/2019 15:57:32 12052 (0x2F14)
hr, HRESULT=80090016 (tokenmgr.cpp,62) MP_TokenManager 11/01/2019 15:57:32 12052 (0x2F14)
CTokenManagerHandler::HandleMessage(): ExecuteTask() failed MP_TokenManager 11/01/2019 15:57:32 12052 (0x2F14)
MP TM: Message discarded MP_TokenManager 11/01/2019 15:57:32 12052 (0x2F14)
Token signing cert thumbprint '0c8762f83ad3d814d75de852bc1164cb4d8d1172' MP_TokenManager 11/01/2019 15:57:44 8628 (0x21B4)
::CryptAcquireCertificatePrivateKey( pCertContext, 0x00000002 | 0x00010000, 0, &hCryptProv, &dwKeySpec, &bReleaseContext), HRESULT=80090016 (..\ccmgencert.cpp,4247) MP_TokenManager 11/01/2019 15:57:44 8628 (0x21B4)
CCMGetSigningHashAlgorithm(pMPSigningCertContext, sHashAlg, dwHashAlgId), HRESULT=80090016 (tasks.cpp,971) MP_TokenManager 11/01/2019 15:57:44 8628 (0x21B4)
Failed to get hash algorithm for the STS signing certificate. Return code: 0x80090016 MP_TokenManager 11/01/2019 15:57:44 8628 (0x21B4)
CreateDPAuthToken( sDPServer, sContentID, sSMSID, uVersion, sDPAuthToken, ctEndTime ), HRESULT=80090016 (tasks.cpp,1625) MP_TokenManager 11/01/2019 15:57:44 8628 (0x21B4)
CHandleTokenRequest::CreateReplyDocument failed with error code 0x80090016. MP_TokenManager 11/01/2019 15:57:44 8628 (0x21B4)
CreateReplyDocument(docReply), HRESULT=80090016 (tasks.cpp,1326) MP_TokenManager 11/01/2019 15:57:44 8628 (0x21B4)
SendReplyToClient(pService), HRESULT=80090016 (tasks.cpp,1287) MP_TokenManager 11/01/2019 15:57:44 8628 (0x21B4)
Failed to validate request or send reply to client [GUID:39ac45bb-9aeb-4a07-b830-9690cdc0a325]. Error 0x80090016 MP_TokenManager 11/01/2019 15:57:44 8628 (0x21B4)
hr, HRESULT=80090016 (tokenmgr.cpp,62) MP_TokenManager 11/01/2019 15:57:44 8628 (0x21B4)
CTokenManagerHandler::HandleMessage(): ExecuteTask() failed MP_TokenManager 11/01/2019 15:57:44 8628 (0x21B4)
MP TM: Message discarded MP_TokenManager 11/01/2019 15:57:44 8628 (0x21B4)
Token signing cert thumbprint '0c8762f83ad3d814d75de852bc1164cb4d8d1172' MP_TokenManager 11/01/2019 15:58:26 12052 (0x2F14)
::CryptAcquireCertificatePrivateKey( pCertContext, 0x00000002 | 0x00010000, 0, &hCryptProv, &dwKeySpec, &bReleaseContext), HRESULT=80090016 (..\ccmgencert.cpp,4247) MP_TokenManager 11/01/2019 15:58:26 12052 (0x2F14)
CCMGetSigningHashAlgorithm(pMPSigningCertContext, sHashAlg, dwHashAlgId), HRESULT=80090016 (tasks.cpp,971) MP_TokenManager 11/01/2019 15:58:26 12052 (0x2F14)
Failed to get hash algorithm for the STS signing certificate. Return code: 0x80090016 MP_TokenManager 11/01/2019 15:58:26 12052 (0x2F14)

ADALOperationsProvider.log from client looking at CMG:

Falling back to ADAL. ADALOperationProvider 11/01/2019 16:39:09 9244 (0x241C)
E_FAIL, HRESULT=80004005 (..\adaloperationprovider.cpp,137) ADALOperationProvider 11/01/2019 16:39:09 9244 (0x241C)
GetAADTokenForLoggedOnUser(sWebAccountProviderId, sAuthority, sClientId, sResourceId, 0, sAADToken, sAADUserId), HRESULT=80004005 (..\adaloperationprovider.cpp,268) ADALOperationProvider 11/01/2019 16:39:09 9244 (0x241C)
Failed to get AAD token for logged on user, Error 0x80004005 ADALOperationProvider 11/01/2019 16:39:09 9244 (0x241C)
Getting AAD (user) token with: ClientId = 194ac1d6-3483-4863-97fe-92fcf5f0855d, ResourceUrl = https://ConfigMgrServiceCMG, AccountId = https://login.microsoftonline.com/common/oauth2/token ADALOperationProvider 11/01/2019 16:39:09 9736 (0x2608)
Retrieved AAD token for AAD user 'ea1f3e81-d6d6-47a2-8e4b-73d9fb3300ff' ADALOperationProvider 11/01/2019 16:39:09 9736 (0x2608)
Getting AAD (device) token with: ClientId = 194ac1d6-3483-4863-97fe-92fcf5f0855d, ResourceUrl = https://ConfigMgrServiceCMG, AccountId = https://login.microsoftonline.com/common/oauth2/token ADALOperationProvider 11/01/2019 16:39:10 9736 (0x2608)
WAM token request failed. Status 5, Details 'AAD WAM extension error' ADALOperationProvider 11/01/2019 16:39:10 9736 (0x2608)
Failed to get AAD token.. 
The user name or password is incorrect. (Error: 8007052E; Source: Windows) ADALOperationProvider 11/01/2019 16:39:10 9736 (0x2608)
CcmGetAADTokenFromWAM( sClientId.c_str(), sResourceUri.c_str(), sAccountId.c_str(), bForDevice, sToken, sAADUserId ), HRESULT=8007052e (..\CcmToken.cpp,2293) ADALOperationProvider 11/01/2019 16:39:10 9736 (0x2608)
Failed to get AAD token for 'S-1-5-18' from WAM API. Error 0x8007052e ADALOperationProvider 11/01/2019 16:39:10 9736 (0x2608)
CADALOperationProvider::ExecMethodAsync - ExecMethod called for the provider. ADALOperationProvider 11/01/2019 16:39:10 9244 (0x241C)
Getting AAD token for logged on user. Authority: https://login.microsoftonline.com/common/oauth2/token ClientId: 194ac1d6-3483-4863-97fe-92fcf5f0855d ResourceId: https://ConfigMgrServiceCMG UserSID: S-1-5-18 ADALOperationProvider 11/01/2019 16:39:10 9244 (0x241C)
Attempting to obtain AAD token. WebAccountProviderId='https://login.windows.net', Authority='https://login.microsoftonline.com/common/oauth2/token', ClientID='194ac1d6-3483-4863-97fe-92fcf5f0855d', ResourceId='https://ConfigMgrServiceCMG', SessionId='0' ADALOperationProvider 11/01/2019 16:39:10 9244 (0x241C)
Unable to obtain AAD token with WAM. Error Details: System.Exception: A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
at Windows.Foundation.IAsyncOperation`1.GetResults()
at Microsoft.ConfigurationManager.ADAL.AdalWrapper.<>c__DisplayClass6_0.<AcquireTokenWAM>b__0(IAsyncOperation`1 , AsyncStatus )
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.ConfigurationManager.ADAL.AdalWrapper.<AcquireTokenWAM>d__6.MoveNext() ADALOperationProvider 11/01/2019 16:39:10 9244 (0x241C)
Falling back to ADAL. ADALOperationProvider 11/01/2019 16:39:10 9244 (0x241C)
E_FAIL, HRESULT=80004005 (..\adaloperationprovider.cpp,137) ADALOperationProvider 11/01/2019 16:39:10 9244 (0x241C)
GetAADTokenForLoggedOnUser(sWebAccountProviderId, sAuthority, sClientId, sResourceId, 0, sAADToken, sAADUserId), HRESULT=80004005 (..\adaloperationprovider.cpp,268) ADALOperationProvider 11/01/2019 16:39:10 9244 (0x241C)
Failed to get AAD token for logged on user, Error 0x80004005 ADALOperationProvider 11/01/2019 16:39:10 9244 (0x241C)
Getting AAD (user) token with: ClientId = 194ac1d6-3483-4863-97fe-92fcf5f0855d, ResourceUrl = https://ConfigMgrServiceCMG, AccountId = https://login.microsoftonline.com/common/oauth2/token ADALOperationProvider 11/01/2019 16:39:10 9736 (0x2608)
Retrieved AAD token for AAD user 'ea1f3e81-d6d6-47a2-8e4b-73d9fb3300ff' ADALOperationProvider 11/01/2019 16:39:10 9736 (0x2608)
Getting AAD (device) token with: ClientId = 194ac1d6-3483-4863-97fe-92fcf5f0855d, ResourceUrl = https://ConfigMgrServiceCMG, AccountId = https://login.microsoftonline.com/common/oauth2/token ADALOperationProvider 11/01/2019 16:39:11 9736 (0x2608)
WAM token request failed. Status 5, Details 'AAD WAM extension error' ADALOperationProvider 11/01/2019 16:39:11 9736 (0x2608)
Failed to get AAD token.. 
The user name or password is incorrect. (Error: 8007052E; Source: Windows) ADALOperationProvider 11/01/2019 16:39:11 9736 (0x2608)
CcmGetAADTokenFromWAM( sClientId.c_str(), sResourceUri.c_str(), sAccountId.c_str(), bForDevice, sToken, sAADUserId ), HRESULT=8007052e (..\CcmToken.cpp,2293) ADALOperationProvider 11/01/2019 16:39:11 9736 (0x2608)
Failed to get AAD token for 'S-1-5-18' from WAM API. Error 0x8007052e ADALOperationProvider 11/01/2019 16:39:11 9736 (0x2608)
CADALOperationProvider::ExecMethodAsync - ExecMethod called for the provider. ADALOperationProvider 11/01/2019 16:39:11 9244 (0x241C)
Getting AAD token for logged on user. Authority: https://login.microsoftonline.com/common/oauth2/token ClientId: 194ac1d6-3483-4863-97fe-92fcf5f0855d ResourceId: https://ConfigMgrServiceCMG UserSID: S-1-5-18 ADALOperationProvider 11/01/2019 16:39:11 9244 (0x241C)
Attempting to obtain AAD token. WebAccountProviderId='https://login.windows.net', Authority='https://login.microsoftonline.com/common/oauth2/token', ClientID='194ac1d6-3483-4863-97fe-92fcf5f0855d', ResourceId='https://ConfigMgrServiceCMG', SessionId='0' ADALOperationProvider 11/01/2019 16:39:11 9244 (0x241C)
Unable to obtain AAD token with WAM. Error Details: System.Exception: A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
at Windows.Foundation.IAsyncOperation`1.GetResults()
at Microsoft.ConfigurationManager.ADAL.AdalWrapper.<>c__DisplayClass6_0.<AcquireTokenWAM>b__0(IAsyncOperation`1 , AsyncStatus )
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.ConfigurationManager.ADAL.AdalWrapper.<AcquireTokenWAM>d__6.MoveNext() ADALOperationProvider 11/01/2019 16:39:11 9244 (0x241C)
Falling back to ADAL. ADALOperationProvider 11/01/2019 16:39:11 9244 (0x241C)
E_FAIL, HRESULT=80004005 (..\adaloperationprovider.cpp,137) ADALOperationProvider 11/01/2019 16:39:11 9244 (0x241C)
GetAADTokenForLoggedOnUser(sWebAccountProviderId, sAuthority, sClientId, sResourceId, 0, sAADToken, sAADUserId), HRESULT=80004005 (..\adaloperationprovider.cpp,268) ADALOperationProvider 11/01/2019 16:39:11 9244 (0x241C)
Failed to get AAD token for logged on user, Error 0x80004005 ADALOperationProvider 11/01/2019 16:39:11 9244 (0x241C)
Getting AAD (user) token with: ClientId = 194ac1d6-3483-4863-97fe-92fcf5f0855d, ResourceUrl = https://ConfigMgrServiceCMG, AccountId = https://login.microsoftonline.com/common/oauth2/token ADALOperationProvider 11/01/2019 16:39:11 9736 (0x2608)
Retrieved AAD token for AAD user 'ea1f3e81-d6d6-47a2-8e4b-73d9fb3300ff' ADALOperationProvider 11/01/2019 16:39:11 9736 (0x2608)
Getting AAD (user) token with: ClientId = 194ac1d6-3483-4863-97fe-92fcf5f0855d, ResourceUrl = https://ConfigMgrServiceCMG, AccountId = https://login.microsoftonline.com/common/oauth2/token ADALOperationProvider 11/01/2019 16:39:17 9736 (0x2608)
BlockOnCompletionAndGetResults(spWebAccountProviderOperation.Get(), &spProvider), HRESULT=80070520 (..\Token.cpp,531) ADALOperationProvider 11/01/2019 16:39:17 9736 (0x2608)
Failed to get AAD token.. 
A specified logon session does not exist. It may already have been terminated. (Error: 80070520; Source: Windows) ADALOperationProvider 11/01/2019 16:39:17 9736 (0x2608)
CcmGetAADTokenFromWAM( sClientId.c_str(), sResourceUri.c_str(), sAccountId.c_str(), bForDevice, sToken, sAADUserId ), HRESULT=80070520 (..\CcmToken.cpp,2293) ADALOperationProvider 11/01/2019 16:39:17 9736 (0x2608)
Failed to get AAD token for 'S-1-5-20' from WAM API. Error 0x80070520 ADALOperationProvider 11/01/2019 16:39:17 9736 (0x2608)
CADALOperationProvider::ExecMethodAsync - ExecMethod called for the provider. ADALOperationProvider 11/01/2019 16:39:17 9244 (0x241C)
Getting AAD token for logged on user. Authority: https://login.microsoftonline.com/common/oauth2/token ClientId: 194ac1d6-3483-4863-97fe-92fcf5f0855d ResourceId: https://ConfigMgrServiceCMG UserSID: S-1-5-20 ADALOperationProvider 11/01/2019 16:39:17 9244 (0x241C)
Attempting to obtain AAD token. WebAccountProviderId='https://login.windows.net', Authority='https://login.microsoftonline.com/common/oauth2/token', ClientID='194ac1d6-3483-4863-97fe-92fcf5f0855d', ResourceId='https://ConfigMgrServiceCMG', SessionId='0' ADALOperationProvider 11/01/2019 16:39:17 9244 (0x241C)
Unable to obtain AAD token with WAM. Error Details: System.Exception: A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
at Windows.Foundation.IAsyncOperation`1.GetResults()
at Microsoft.ConfigurationManager.ADAL.AdalWrapper.<>c__DisplayClass6_0.<AcquireTokenWAM>b__0(IAsyncOperation`1 , AsyncStatus )
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.ConfigurationManager.ADAL.AdalWrapper.<AcquireTokenWAM>d__6.MoveNext() ADALOperationProvider 11/01/2019 16:39:17 9244 (0x241C)
Falling back to ADAL. ADALOperationProvider 11/01/2019 16:39:17 9244 (0x241C)
E_FAIL, HRESULT=80004005 (..\adaloperationprovider.cpp,137) ADALOperationProvider 11/01/2019 16:39:18 9244 (0x241C)
GetAADTokenForLoggedOnUser(sWebAccountProviderId, sAuthority, sClientId, sResourceId, 0, sAADToken, sAADUserId), HRESULT=80004005 (..\adaloperationprovider.cpp,268) ADALOperationProvider 11/01/2019 16:39:18 9244 (0x241C)
Failed to get AAD token for logged on user, Error 0x80004005 ADALOperationProvider 11/01/2019 16:39:18 9244 (0x241C)
Getting AAD (device) token with: ClientId = 194ac1d6-3483-4863-97fe-92fcf5f0855d, ResourceUrl = https://ConfigMgrServiceCMG, AccountId = https://login.microsoftonline.com/common/oauth2/token ADALOperationProvider 11/01/2019 16:39:18 9736 (0x2608)
WAM token request failed. Status 5, Details 'AAD WAM extension error' ADALOperationProvider 11/01/2019 16:39:18 9736 (0x2608)
Failed to get AAD token.. 
The user name or password is incorrect. (Error: 8007052E; Source: Windows) ADALOperationProvider 11/01/2019 16:39:18 9736 (0x2608)
CcmGetAADTokenFromWAM( sClientId.c_str(), sResourceUri.c_str(), sAccountId.c_str(), bForDevice, sToken, sAADUserId ), HRESULT=8007052e (..\CcmToken.cpp,2293) ADALOperationProvider 11/01/2019 16:39:18 9736 (0x2608)
Failed to get AAD token for 'S-1-5-18' from WAM API. Error 0x8007052e ADALOperationProvider 11/01/2019 16:39:18 9736 (0x2608)
CADALOperationProvider::ExecMethodAsync - ExecMethod called for the provider. ADALOperationProvider 11/01/2019 16:39:18 9244 (0x241C)
Getting AAD token for logged on user. Authority: https://login.microsoftonline.com/common/oauth2/token ClientId: 194ac1d6-3483-4863-97fe-92fcf5f0855d ResourceId: https://ConfigMgrServiceCMG UserSID: S-1-5-18 ADALOperationProvider 11/01/2019 16:39:18 9244 (0x241C)
Attempting to obtain AAD token. WebAccountProviderId='https://login.windows.net', Authority='https://login.microsoftonline.com/common/oauth2/token', ClientID='194ac1d6-3483-4863-97fe-92fcf5f0855d', ResourceId='https://ConfigMgrServiceCMG', SessionId='0' ADALOperationProvider 11/01/2019 16:39:18 9244 (0x241C)
Unable to obtain AAD token with WAM. Error Details: System.Exception: A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
at Windows.Foundation.IAsyncOperation`1.GetResults()
at Microsoft.ConfigurationManager.ADAL.AdalWrapper.<>c__DisplayClass6_0.<AcquireTokenWAM>b__0(IAsyncOperation`1 , AsyncStatus )
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.ConfigurationManager.ADAL.AdalWrapper.<AcquireTokenWAM>d__6.MoveNext() ADALOperationProvider 11/01/2019 16:39:18 9244 (0x241C)
Falling back to ADAL. ADALOperationProvider 11/01/2019 16:39:18 9244 (0x241C)
E_FAIL, HRESULT=80004005 (..\adaloperationprovider.cpp,137) ADALOperationProvider 11/01/2019 16:39:19 9244 (0x241C)
GetAADTokenForLoggedOnUser(sWebAccountProviderId, sAuthority, sClientId, sResourceId, 0, sAADToken, sAADUserId), HRESULT=80004005 (..\adaloperationprovider.cpp,268) ADALOperationProvider 11/01/2019 16:39:19 9244 (0x241C)
Failed to get AAD token for logged on user, Error 0x80004005 ADALOperationProvider 11/01/2019 16:39:19 9244 (0x241C)

 

CMGService.Log looks fine...:

Reporting proxy traffic. Current processing messages: 0	CMGService	11/01/2019 16:04:30	48 (0x0030)
WorkingSet: 72663040 byte  PrivateByte: 50556928 byte  PeakWorkingSet: 72663040 byte  HandleCount: 813  ThreadCount: 22	CMGService	11/01/2019 16:04:30	48 (0x0030)
Reporting proxy traffic. Current processing messages: 0	CMGService	11/01/2019 16:09:30	59 (0x003B)
WorkingSet: 72781824 byte  PrivateByte: 50704384 byte  PeakWorkingSet: 72781824 byte  HandleCount: 853  ThreadCount: 22	CMGService	11/01/2019 16:09:30	59 (0x003B)
Reporting proxy traffic. Current processing messages: 0	CMGService	11/01/2019 16:14:30	69 (0x0045)
WorkingSet: 74924032 byte  PrivateByte: 53014528 byte  PeakWorkingSet: 74924032 byte  HandleCount: 691  ThreadCount: 22	CMGService	11/01/2019 16:14:30	69 (0x0045)
RequestUri: /CCM_PROXY_SERVERAUTH/72057594037927939/CCM_STS  RequestCount: 12  RequestSize: 21360 Bytes  ResponseCount: 12  ResponseSize: 120540 Bytes  AverageElapsedTime: 68 ms	CMGService	11/01/2019 16:14:30	69 (0x0045)
Reporting proxy traffic. Current processing messages: 0	CMGService	11/01/2019 16:19:30	48 (0x0030)
WorkingSet: 76091392 byte  PrivateByte: 54337536 byte  PeakWorkingSet: 76091392 byte  HandleCount: 768  ThreadCount: 23	CMGService	11/01/2019 16:19:30	48 (0x0030)
RequestUri: /CCM_PROXY_SERVERAUTH/72057594037928805/CLIENTWEBSERVICE/  RequestCount: 3  RequestSize: 264987 Bytes  ResponseCount: 3  ResponseSize: 2931 Bytes  AverageElapsedTime: 270 ms	CMGService	11/01/2019 16:19:30	48 (0x0030)
RequestUri: /CCM_PROXY_SERVERAUTH/72057594037927939/CCM_STS  RequestCount: 10  RequestSize: 17800 Bytes  ResponseCount: 10  ResponseSize: 100450 Bytes  AverageElapsedTime: 65 ms	CMGService	11/01/2019 16:19:30	48 (0x0030)
Reporting proxy traffic. Current processing messages: 0	CMGService	11/01/2019 16:24:30	36 (0x0024)
WorkingSet: 76267520 byte  PrivateByte: 54476800 byte  PeakWorkingSet: 76267520 byte  HandleCount: 826  ThreadCount: 23	CMGService	11/01/2019 16:24:30	36 (0x0024)
RequestUri: /CCM_PROXY_SERVERAUTH/72057594037927939/CCM_STS  RequestCount: 5  RequestSize: 8900 Bytes  ResponseCount: 5  ResponseSize: 50225 Bytes  AverageElapsedTime: 61 ms	CMGService	11/01/2019 16:24:30	36 (0x0024)
Reporting proxy traffic. Current processing messages: 0	CMGService	11/01/2019 16:29:30	46 (0x002E)
WorkingSet: 76570624 byte  PrivateByte: 54820864 byte  PeakWorkingSet: 76570624 byte  HandleCount: 755  ThreadCount: 23	CMGService	11/01/2019 16:29:30	46 (0x002E)
RequestUri: /CCM_PROXY_SERVERAUTH/72057594037927939/CCM_STS  RequestCount: 13  RequestSize: 23140 Bytes  ResponseCount: 13  ResponseSize: 130585 Bytes  AverageElapsedTime: 54 ms	CMGService	11/01/2019 16:29:30	46 (0x002E)
Reporting proxy traffic. Current processing messages: 0	CMGService	11/01/2019 16:34:30	62 (0x003E)
WorkingSet: 73281536 byte  PrivateByte: 51077120 byte  PeakWorkingSet: 76619776 byte  HandleCount: 795  ThreadCount: 22	CMGService	11/01/2019 16:34:30	62 (0x003E)
Reporting proxy traffic. Current processing messages: 0	CMGService	11/01/2019 16:39:30	48 (0x0030)
WorkingSet: 73846784 byte  PrivateByte: 51646464 byte  PeakWorkingSet: 76619776 byte  HandleCount: 717  ThreadCount: 23	CMGService	11/01/2019 16:39:30	48 (0x0030)
RequestUri: /CCM_PROXY_SERVERAUTH/72057594037928805/CLIENTWEBSERVICE/  RequestCount: 3  RequestSize: 264987 Bytes  ResponseCount: 3  ResponseSize: 2955 Bytes  AverageElapsedTime: 161 ms	CMGService	11/01/2019 16:39:30	48 (0x0030)
RequestUri: /CCM_PROXY_SERVERAUTH/72057594037927939/CCM_STS  RequestCount: 8  RequestSize: 14240 Bytes  ResponseCount: 8  ResponseSize: 80360 Bytes  AverageElapsedTime: 58 ms	CMGService	11/01/2019 16:39:30	48 (0x0030)
Reporting proxy traffic. Current processing messages: 0	CMGService	11/01/2019 16:44:30	39 (0x0027)
WorkingSet: 74797056 byte  PrivateByte: 52752384 byte  PeakWorkingSet: 76619776 byte  HandleCount: 689  ThreadCount: 23	CMGService	11/01/2019 16:44:30	39 (0x0027)
RequestUri: /CCM_PROXY_SERVERAUTH/72057594037928805/CLIENTWEBSERVICE/  RequestCount: 3  RequestSize: 264987 Bytes  ResponseCount: 3  ResponseSize: 2930 Bytes  AverageElapsedTime: 171 ms	CMGService	11/01/2019 16:44:30	39 (0x0027)
RequestUri: /CCM_PROXY_SERVERAUTH/72057594037927939/CCM_STS  RequestCount: 12  RequestSize: 21360 Bytes  ResponseCount: 12  ResponseSize: 120540 Bytes  AverageElapsedTime: 69 ms	CMGService	11/01/2019 16:44:30	39 (0x0027)
Reporting proxy traffic. Current processing messages: 0	CMGService	11/01/2019 16:49:30	51 (0x0033)
WorkingSet: 74895360 byte  PrivateByte: 52817920 byte  PeakWorkingSet: 76619776 byte  HandleCount: 741  ThreadCount: 22	CMGService	11/01/2019 16:49:30	51 (0x0033)
RequestUri: /CCM_PROXY_SERVERAUTH/72057594037927939/CCM_STS  RequestCount: 6  RequestSize: 10680 Bytes  ResponseCount: 6  ResponseSize: 60270 Bytes  AverageElapsedTime: 67 ms	CMGService	11/01/2019 16:49:30	51 (0x0033)

 

CCMMessaging.log on client machine:

RequestResponseImpl( szUrl, L"GET", szHeaders, 0, 0, 0, 0, uFlags, &pbResponse, &ulResponseLen), HRESULT=87d0027e (..\ccmhttpget.cpp,297)	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
GetURLSyncInStreamEx2(szUrl, szHeaders, uFlags, &spStream), HRESULT=87d0027e (..\ccmhttpget.cpp,372)	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
spHttpGet->GetURLSyncInStringEx2( sUrl, sAuthHeader, dwFlags, &csResponse), HRESULT=87d0027e (..\ccmtoken.cpp,351)	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
RetrieveTokenFromStsServerImpl failed with error 0x87d0027e	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
RetrieveTokenFromStsServerImpl((LPCWSTR)sMP, true, sAADToken, sCcmToken, ulExpiresIn), HRESULT=87d0027e (..\ccmtoken.cpp,286)	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
RetrieveTokenFromStsServer(szPotentialServerUrl, sAADToken, sCcmToken, ulExpiresIn), HRESULT=87d0027e (..\ccmtoken.cpp,140)	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
SUCCEEDED(hrRet), HRESULT=87d00455 (..\requestresponse.cpp,868)	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
Client doesn't have PKI issued cert and cannot get CCM access token. Error 0x87d0027e	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
[CCMHTTP] ERROR: URL=https://ServerNameRemoved.com/CCM_PROXY_MUTUALAUTH/72057594037927939/ccm_system/request, Port=443, Options=1216, Code=0, Text=CCM_E_NO_TOKEN_AUTH	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
[CCMHTTP] ERROR INFO: StatusCode=401 StatusText=CMGService_Invalid_Client_Certificate	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
Raising event:

instance of CCM_CcmHttp_Status
{
	ClientID = "GUID:5931403a-c5e2-4efd-8d21-35f5f07e44ab";
	DateTime = "20190111170232.478000+000";
	HostName = "ServerNameRemoved";
	HRESULT = "0x87d00455";
	ProcessID = 8760;
	StatusCode = 401;
	ThreadID = 9736;
};
	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
Status Agent hasn't been initialized yet. Attempting to create pending event.	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
Raising pending event:

instance of CCM_CcmHttp_Status
{
	ClientID = "GUID:5931403a-c5e2-4efd-8d21-35f5f07e44ab";
	DateTime = "20190111170232.478000+000";
	HostName = "ServerNameRemoved";
	HRESULT = "0x87d00455";
	ProcessID = 8760;
	StatusCode = 401;
	ThreadID = 9736;
};
	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
Successfully submitted pending event to WMI.	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
Request to https://ServerNameRemoved/CCM_PROXY_MUTUALAUTH/72057594037927939/ccm_system/request failed with 401 - Access denied	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
Successfully queued event on HTTP/HTTPS failure for server 'ServerNameRemoved'.	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
HttpRequestResponse( L"ccmhttp", pszUrl, m_sPostVerb.c_str(), (LPCWSTR)csRequestHeaders, 0, 0, spRequestStream, uFlags, &m_httpOptions, ResponseHandler, (LPVOID)ppResponse, false, eCertAuthResult, m_dwHttpStatus, sStatusText), HRESULT=87d00455 (..\ccmhttppost.cpp,147)	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
Post to https://ServerNameRemoved/CCM_PROXY_MUTUALAUTH/72057594037927939/ccm_system/request failed with 0x87d00231.	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
HandleRemoteSyncSend failed (0x87d00231).	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
HandleRemoteSyncSend( msgRequestHeader, pRequestPayload, uliRequestPayloadLen.LowPart, ulTimeoutMilliseconds, ppReply), HRESULT=87d00231 (forwarder_client.cpp,1383)	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
CForwarder_Sync::Send failed (0x87d00231).	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
_Send(msgHeader.GetXMLElement(), spPayload, bLocalEndpoint, ulTimeoutMilliseconds, ppReply), HRESULT=87d00231 (forwarder_base.cpp,408)	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
CForwarder_Base::Send failed (0x87d00231).	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
g_spSyncForwarder->Send( sCcmMessagePtr(pMessage), ulFlags, ulTimeoutMilliseconds, ppReply, sCompressionAlgorithm ), HRESULT=87d00231 (ccmmessaging.cpp,147)	CcmMessaging	11/01/2019 17:02:32	9736 (0x2608)
By |2019-01-11T17:08:32+00:00January 11th, 2019|Uncategorized|2 Comments

About the Author:

2 Comments

  1. Tom July 1, 2019 at 3:04 pm - Reply

    We’re having a similar issue, what was your resolution?

    • peterc2609 July 1, 2019 at 3:34 pm - Reply

      Hi Tom

      Our resolution was to create a new MP, install the connector on there and it all worked.

      MS suggested it after a good few months!

      Peter

Leave A Comment