Why can’t I RDP to my CMG ?


The Cloud Management Gateway provides a simple way to manage ConfigMgr clients on the internet. And once you’ve set it up, you’ll probably want to get a closer look, and look at logs on the virtual machine in Azure. The virtual machine itself seems to be running a flavour of hyperv virtualization as revealed in the device manager of the vm.

Update 2020/09/17: RDP to the CMG is unsupported by Microsoft and is definitely not recommended. There is no use case where you should need to this. If you really want the logs from your CMG the supported way of doing that is to follow the advice here.

Enabling RDP on the CMG

By default, once your CMG is fully setup, configured and running, the RDP ability is not enabled (for security reasons). To temporarily enable it, in Azure search for Cloud Services (Classic) and select your CMG service.

Select your cmg cloud service and next select Remote Desktop from the options available.

In the Remote Desktop options, flip the switch over to Enabled and fill in a username and appropriately complex password before selecting the type of Encryption Certificate from the drop down .

The encryption certificate is used to encrypt the password to the role service. Click on Save when done.

You’ll see dots moving across the screen while it configures the service remotely before eventually being informed that it has successfully saved the remote desktop settings.

Next click on Roles and Instances, select the ProxyService IN 0 and click on Connect from the options available.

Note: Don’t be too quick however, as the Connect button may be greyed out and when you try to enable it you’ll be informed that the service was not enabled when you just enabled it. The service needs some time in the back end to get ready I guess…

this will download an RDP file customized for your CMG cloud service, you can save it or open it immediately using the Microsoft Terminal Services Client (MSTSC,EXE).

RDP connection problems

I saw three issues initially when using RDP to my CMG.

  • Securing remote connection
  • Authentication error
  • User account disabled

The first issue appeared after clicking OK to the RDP file downloaded, and then clicking on Connect,

was that MSTSC reported “Securing remote connection” and this just went on forever.

Remote Desktop Connection Connecting to: cmgnoob.cloudapp.net Securing remote connection...

No matter how long I waited or how many times I started RDP and attempted to connect, that was the progress seen,  it would never succeed in connecting.

I was just about to open an Azure Support ticket when I decided to try removing the ability to RDP and add it back again (aka turning it off and on again ;-)), that solved this issue.

The second issue occurred after entering credentials for the configured user.

The authentication error is shown below and basically translates to access denied.

Remote Desktop Connection. An authentication error has occurred (Code: 0x80004005). Remote computer: cmgnoob.cloudapp.net

The solution here was to prefix the username with AzureAD\ so rdpnoob became AzureAD\rdpnoob as shown below by clicking on More choices, then Use a different account.

This then prompted me to connect (this is expected as the certificate is from the VM itself)

and once connected I can see the type of account I have in my RDP session.

The third error occurred because I had enabled/disabled the RDP ability and changed the name of the user when re-creating it.

If you look at the screenshot above you can see a disabled ‘niall’ account, that was the account I initially created.

Remote Desktop Connection The user account is currently disabled and cannot be used. For assistance, contact your administrator or technical support.

The solution was to edit the downloaded RDP file in notepad or notepad++ and modify the username field to use the actual username configured in Remote Desktop.

Show me the logs

Once you have successfully connected to the CMG you can browse E:\approot\logs… to see how things are progressing. Actually I saw my approot change drive letter, from E: to F: and then back to E: again.

To verify where the logs are stored you can check the registry HKLM\SOFTWARE\Microsoft\SMS\Tracing\

The following logs are present:

  • CMGContentService.log
  • CMGService.log
  • CMGSetup.log

and of course you can use CMTrace (copy it via RDP) to review them.

that’s all for now, thanks for reading











This entry was posted in CMG. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.