Field Notes: CMG ARM Deployment Error

ConfigMgr CB 1802 was shipped with the option of deploying the Cloud Management Gateway (CMG) via an Azure Resource Manager deployment, this was a welcome addition as it meant one less certificate when provisioning the CMG.

I was deploying a new CMG instance for a client recently and was running into a rather unusual error. While deploying the CMG via ARM the following error appeared in the CloudMgr.log:

ERROR: Resource Manager – Deployment operation details: {“value”:[{“id”:”/subscriptions/XXXXX-77a8-4d4e-b9b5-0b5f2554XXXX/resourceGroups/sscm-prd-rg/providers/Microsoft.Resources/deployments/CreateDeploymentSlot2bba3863-7b83-46ca-975d-62af78e1bxxx/operations/E3358A91AADA1335″,”operationId”:”E3358A91AADA1335″,”properties”:{“provisioningOperation”:”Create”,”provisioningState”:”Failed”,”timestamp”:”2018-08-15T13:37:53.513375Z”,”duration”:”PT3.8785109S”,”trackingId”:”825ed0b7-d630-49fd-a4b4-63e177c6175e”,”statusCode”:”BadRequest”,”statusMessage”:{“error”:{“code”:”DeploymentSlotFetchingConfigurationFailed”,”message”:”Fetching the configuration at ‘/deploymentcontainer/execmgrcmg001.cscfg’ failed with status code ‘Forbidden’ and reason phrase ‘Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.’.“}

You will also see:

ERROR: TaskManager: Task [AnalyticsCollectionTask: Service execmgrcmg001] has failed. Exception Hyak.Common.CloudException, Failed to get cloud service network out metrics.

These errors will cause the CMG deployment to fail. The CMG setup will provision part of the cloud service and the storage account in Azure but will not build the CMG virtual machine. The activity log on the cloud service will show the following:

You can remove the failed CMG installation from the ConfigMgr console and run the setup again and will likely face the same issue. Trust me, i tried many times.

I was looking into my certificates thinking this must have been a cert problem but everything seemed to be in order. As it turns out, my certificates were fine.. my primary site servers clock however was not.

It appears the ARM deployment is VERY sensitive to any time shift between (i assume) Azure and the local server. The ConfigMgr server clock was in sync with the DC, however this was 18 seconds out of sync with my own machine, and the world clock here: https://greenwichmeantime.com/timepiece/world-clock.

I adjusted the ConfigMgr system clock back 18 seconds, tried the deployment again and it worked like a charm. The CMG deployed without issue.

Hopefully in future releases this sensitivity to a tiny time difference is addressed. Hopefully this post helps anyone facing the same issue.

Cheers,

Dan

 

 

 

 

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s