Five key configuration steps for implementing Internet-based clients in ConfigMgr 2012

This blog post is about the key configuration steps for implementing Internet-based clients in ConfigMgr 2012. By key configuration steps, I’m talking about the configuration of the web server certificate, IIS, site systems, site system roles and client installations. To understand these steps, knowledge of certificates, IIS and ConfigMgr is required, because it’s not a step-by-step configuration guide.

Prerequisites

Before going through these steps, there are a few important prerequisites that should be in place:

  • Site systems for Internet-based client management must have connectivity to the Internet and must be in an Active Directory domain.
  • A supporting public key infrastructure (PKI) has to be in place, that can deploy and manage the certificates that the clients require and that are managed on the Internet and the Internet-based site system servers.
  • The Internet fully qualified domain name (FQDN) of site systems that support Internet-based client management must be registered as host entries on public DNS servers.

Configuration 1: Web server certificate

1_CertificateOne of the most important things with Internet-based client management is the web server certificate. This certificate is used to authenticate these servers to the client and to encrypt all data transferred between the client and these servers by using Secure Sockets Layer (SSL). Based on the applicable scenario this certificate only needs the Internet FQDN, or the Internet and intranet FQDN. For Internet-based client management the following two scenario’s are possible:

  1. If the site system only accepts connections from the Internet, the Subject Name or Subject Alternative Name (SAN) must contain the Internet FQDN.
  2. If the site system accepts connections from the Internet and the intranet, both the Internet FQDN and the intranet FQDN must be specified in the SAN.

Configuration 2: Default web site

Even though I will make this a very small point for Internet-based client management, it is very important not to forget. After the certificate is created it needs to be configured, with the HTTPS Type, in the Site Bindings of the Default Web Site. In case WSUS is also running on the server, and needs to be used by the Internet-based clients, the same has to be done for the Windows Administration site.

2._SiteSystemConfiguration 3: Site system

The next key configuration for Internet-based client management is the Internet FQDN in the Site system properties of the Internet-based site system. The key here is that the Internet FQDN must be exactly the same as the Internet FQDN specified in the web server certificate. When those names don’t match, the client won’t be able to verify the identity of the site system. Of course that will keep the client for assigning to the site.

Configuration 4: Site role

3_SiteRoleAfter the Internet FQDN is configured, the Internet-based site system must be configured to accept client connections from the Internet. This is a configuration that must be done per role that’s supposed to communicate over the internet. For this configuration for Internet-based client management Allow Internet-only connections, or Allow intranet and Internet connections should be configured. The Management point, Distribution point, Fallback status point, Software update point, Application Catalog website point and Enroll proxy point are all able to be configured for accepting client connections from the Internet

Configuration 5: Client installation

imageThe last important configuration is the client installation. During the installation, clients must be directly assigned to the site and be configured with the Internet FQDN of the management point. For Internet-based client management this leaves two possible installation options:

  1. Internet-only clients: Ccmsetup.exe /UsePKICert CCMHOSTNAME=”<InternetFQDN>” SMSSITECODE=”<SiteCode>” CCMALWAYSINF=1
  2. Intranet and Internet clients: Ccmsetup.exe /UsePKICert SMSMP=”<IntrenatFQDN>” CCMHOSTNAME=”<InternetFQDN>” SMSSITECODE=”<SiteCode>”

Note: For lab environments and testing it might be easy to also us /NoCRLCheck. This prevents the client from checking the certificate revocation list (CRL), before establishing an HTTPS connection.

More information

How to Configure the WSUS Web Site to Use SSL.
Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority
About Client Installation Properties in Configuration Manager

Share

How to install a ConfigMgr Client on a WORKGROUP computer, when the ConfigMgr Site is in Native Mode.

NativeModeWorkgroup To install a ConfigMgr Client on a WORKGROUP computer is always a nice battle, when the ConfigMgr Site is in Native Mode. I think I am not the only one who didn’t work that much with certificates before ConfigMgr. So to make the basics of this process for everyone a bit easier I wrote down these seven steps for implementing the correct certificates and installing the ConfigMgr Client on a WORKGROUP client. These same steps can also be used for separate forests.

Step 1. Export the Root Certificate for use on the WORKGROUP computer

  1. Logon to the Certification Authority server and create a folder to contain your certificate files (eg C:\Certificates).
  2. Open a command prompt and go to the just created folder.
  3. Use the following command to export the Root Certificate: certutil -ca.cert RootCertificate.cer

 

Step 2. Create a Certificate Template for the WORKGROUP computer

  1. Open the Certification Authority Console, right-click Certificate Templates, and click Manage to load the Certificates Templates console.
  2. Select Windows Server 2003 Enterprise and click Ok.
  3. Right-click the Workstation Authentication template and click Duplicate Template.
  4. In the Properties of New Template dialog box, type the name for Template display name. As my normal Client Certificate Template is named ConfigMgr Client Certificate, I will name this one ConfigMgr Client Certificate for Export.
  5. Click the Request Handling tab and select Allow private key to be exported.
  6. Click the Subject Name tab, select Supply in the request.  This allows you to supply each FQDN of the client in the separate WORKGROUP at the time you request the certificate.
  7. Click OK to close the Properties of New Template and close the Certificates Template Console.
  8. In the Certification Authority Console, right-click Certificate Templates, click New, click Certificate Template to Issue, select the certificate template name you just created (eg ConfigMgr Client Certificate for Export), and then click OK.

 

Step 3. Request and Install the Client Certificate for the WORKGROUP computer

  1. Open a text editor and copy and paste the following text into the file (replace< FQDN> with the fully qualified domain name of the server that has to use this certificate):

    [NewRequest]
    Subject = "CN=<FQDN>"
    MachineKeySet = True
    Exportable = TRUE
    KeyLength = 2048
    [RequestAttributes]
    CertificateTemplate = ConfigMgrClientCertificateforExport

  2. Save the file as ConfigMgrClientCertificate.inf in the folder created in Step 1.
  3. Open a command prompt and go to the same folder as the saved file.
  4. Use the following command to create a certificate request: certreq –new ConfigMgrClientCertificate.inf ConfigMgrClientCertificate.req
  5. Use the following command to submit the certificate request: certreq –submit ConfigMgrClientCertificate.req ConfigMgrClientCertificate.cer
  6. In the Select Certification Authority dialog box, select the CA, and then click OK.
  7. Use the following command to accept the requested certificate: certreq –accept ConfigMgrClientCertificate.cer

 

Step 4. Export the Client Certificate for the WORKGROUP computer

  1. Open the Certificates Console for the local computer, right-click the certificate that is issued to <FQDN>, click All Tasks, and then click Export to launch the Certificate Export Wizard.
  2. On the Welcome page, click Next.
  3. On the Export Private Key page select Yes, export the private key and click Next.
  4. On the Export File Format page confirm that Personal Information Exchange – PKCS #12 (.PFX) is selected and click Next.
  5. On the Password page specify a password and click Next.
  6. On the File to Export page specify the path and name of the file and click Next.
  7. On the Summary page click Finish and click OK to close the confirmation popup.

 

Step 5. Import the Root Certificate in the WORKGROUP computer

  1. On the computer in the WORKGROUP, open the Certificates Console for the local computer and navigate to Trusted Root Certification Authorities\Certificates.
  2. Right-click Certificates select All Tasks and click Import to load the Certificate Import Wizard.
  3. On the Welcome page click Next.
  4. On the File to Import page click Browse and select the root certificate file that you created. After that click Open and then click Next.
  5. On the Certificate Store page click Next.
  6. Click Finish to close the wizard and click OK to close the confirmation popup.

 

Step 6. Import the Client Certificate in the WORKGROUP computer

  1. Open the Certificates Console for the local computer and this time navigate to Personal\Certificates.
  2. Right-click Certificates select All Tasks and click Import to load the Certificate Import Wizard.
  3. On the Welcome page click Next.
  4. On the File to Import page click Browse and select the exported certificate file that you created. Next click Open and then click Next.
  5. On the Password page type the password that you specified earlier and then click Next.
  6. On the Certificate Store page click Next.
  7. Click Finish to close the wizard and click OK to close the confirmation popup.

 

To confirm that the certificates got imported well, navigate to Personal\Certificates and select the certificate that is issued to <FQDN>. Double-click the certificate and click the Certificate Path tab, this checks that the certificate successfully chains to the issuing root CA certificate.  You should see the certificate and the root CA certificate, with the Certificate status displaying This certificate is OK.  Click OK to close the certificate properties.

Step 7. Install the ConfigMgr Client on the WORKGROUP computer

  1. Open a command prompt and go to the location of the ccmsetup.exe.
  2. Use the following, or similar, command to install the ConfigMgr Client: ccmsetup.exe  /Native:FALLBACK SMSSITECODE=<SiteCode> SMSSLP=<SLP>

 

Reminder: Don’t forget to add a Boundary to your ConfigMgr Site that includes the WORKGROUP computer.

Share

After upgrading to ConfigMgr 2007 R2 SP2 (RC) all OS Deployment Task Sequences are failing

After the upgrade of my test lab (which is running in Native Mode) to ConfigMgr 2007 R2 SP2 (RC) all my Task Sequences suddenly fail with the error: An error occurred while retrieving policy for this computer (0x80004005).

Taking a look at my SMSTS.LOG it showed me the error: No cert available for policy decoding.

This made me wonder what happened to my PXE Certificate that I applied to my PXE Service Point. So I took a look at my certificates (System Center Configuration Manager > Site Database > Site Management > <MySiteName> > Site Settings > Certificates > PXE). Here I noticed that my PXE Certificate was just suddenly missing…

So after re-adding my PXE Certificate to my PXE Service Point it all worked fine again. To add a PXE Certificate to the PXE Service Point follow the next steps:

  1. Open the Configuration Manager console and browse to System Center Configuration Manager > Site Database > Site Management > <YourSiteName> > Site Settings > Site Systems.
  2. Select the PXE Service Point and click in the Actions pane Properties to open the ConfigMgr PXE Service Point Properties.
  3. Select the Database tab and select Import Certificate.
  4. Browse to the needed certificate, fill in the Password and click Ok.
Share

Prepare ConfigMgr Client for Capture doesn’t remove the AllowedRootCAHashCode value

In the most situations it doesn’t matter that the AllowedRootCAHashCode value doesn’t get removed during a Capture of the client, but there is one situation where it does matter. This one situation is when there has to be one image for multiple domains and every domain has its own issuing CA’s. This situation is a problem because the client stores a copy of the Root Certificate in the AllowedRootCAHashCode key. Because it contains the wrong value for the Root Certificate the client isn’t able to get a new Site Signing Certificate (which is also stored in the registry), so the client isn’t able to check the policies.

As workaround for this I created a Task Sequence step (in the install Task Sequence) to delete the HKLM\SOFTWARE\Microsoft\CCM\Security\AllowedRootCAHashCode.

Another workaround (which is probably a bit easier) can be found at the ConfigMgr Technet forum (http://social.technet.microsoft.com/Forums/en-US/configmgribcm/thread/3ac574ca-c562-4a44-92da-5c640a71c3c6) where I posted this situation. The workaround posted here is to create a Task Sequence step (in the Build and Capture Task Sequence) to delete the whole HKLM\SOFTWARE\Microsoft\CCM\Security\ key.

More information about the Task Sequence Step Prepare ConfigMgr Client for Capture: http://technet.microsoft.com/en-us/library/bb633049.aspx
More information about Renewing or Changing the Site Signing Certificate: http://technet.microsoft.com/en-us/library/bb633098.aspx

Share

Certificates needed for Native Mode

The biggest problem, for me, with Native Mode were all the certificates that were needed. That’s why I created an table for myself with the basic certificates that are needed for Native Mode and where to add them. The “Where to add” column is based on Windows Server 2008.

ConfigMgr Component Use Where to add
Primary Site Server Document Signing ConfigMgr > Site Management > Site Database > Properties Primary Site > Tab Site Mode
Management Point, Proxy Management Point, Distribution Point, Software Update Point en (State Migration Point) Server Authentication (Web Server Template) IIS > -Right-click- Sites > Edit Bindings > HTTPS -Edit-
Client computers Client Authentication (Computer Template) GPO > Policies > Computer Configuration > Windows Settings > Security Settings > Public Key Policies > -Right-click- Certificate Services Client –Auto-enrollment
Operating System Deployment/PXE Client Authentication (Workstation Template) Don’t forget the option: Allow Private Key to be exported ConfigMgr > Site Management > Site Database > Primary Site > Site Settings > Site Systems > Properties ConfigMgr PXE Service Point > Tab Database
Root CA for OSD Root ConfigMgr > Site Management > Site Database > Properties Primary Site > Tab Site Mode > Specify Root CA Certificates…

 

For more detailed information: http://technet.microsoft.com/en-us/library/bb680733.aspx

Share