This series is based upon an excellent video by the talented former Microsoft Premier Field Engineer Justin Chalfanthere. If you haven't seen it yet, do check it out.
The intention here is that after you've completed this PKI enabled SCCM lab you can then use this in future guides, and to dig deeper into new technologies from Microsoft, for example enabling a Cloud Management Gateway and/or Cloud Distribution Point and using later on, using Co-Management.
Note: To complete this lab you must first complete the PKI Lab series (8 parts) and then install a new virtual machine within that PKI lab running System Center Configuration Manager (Current Branch) version 1902 utilizing this series, that installation of Configuration Manager will be in HTTP mode. In addition, you must configure the Software Update Point role (in HTTP mode) on CM01 See this guide (step 2 onward) for details. For details how to configure that, see this post. It will take some time to setup but you'll be glad you did. Also, don't do this in production without consulting with a PKI Expert. I don't claim to be one, I'm just helping you get it up and running in a lab. This is intended for use in a lab only.
Step 1 - Create an Active Directory Security Group
In this step you'll create an active directory group which will contain all your site systems that use Configuration Manager server roles which utilize IIS (Internet Information Systems) such as the below (1):
Management point
Distribution point
Software update point
State migration point
Enrollment point
Enrollment proxy point
Application Catalog web service point
Application Catalog website point
A certificate registration point
On the Active Directory domain controller (DC01), open Active Directory Users and Computers, and expand the windowsnoob organisational unit (OU) created in this Step 1, part 5 of this blog post.
Click on Security Groups, and then right click and choose New, select Group. Give the group a name, SCCM IIS Servers.
Once done, right click on the SCCM IIS Servers Active Directory Security Group, choose Properties and click on the Members tab, click on Add, for Object Types make sure Computers are selected. Add the Configuration Manager server (CM01) to that group.
Once done, reboot the Configuration Manager server (CM01) using the following command otherwise you might get access denied when trying to request a certificate.
shutdown /r
Step 2. Create certificate templates on the Issuing CA
In this step you will create three new certificate templates for use within SCCM by duplicating existing templates. Using the windowsnoob\Entadmin credentials, logon to the Issuing CA server (IssuingCA) and launch the certificate authority console (CertSrv.msc).
In the three templates below, one uses the Web Server template, and the others use the Workstation Authentication template, you can verify which Microsoft certificate template to use by using the tables on the following blog post, of which i'm showing a screenshot below to make it clear.
1. SCCM IIS Certificate
Right click on Certificate Templates and choose Manage.
Scroll down to Web Server from the templates listed.
Right click on the Web Server template and choose Duplicate Template.
The Properties of New Template screen appears. Verify that the Certificate Authority Compatibility settings are set to Windows Server 2003.
Note: When you use an enterprise certification authority and certificate templates, do not use the Version 3 templates (well you can but read this first). These certificate templates create certificates that are incompatible with System Center Configuration Manager. Instead, use Version 2 templates by using the following instructions. On the Compatibility tab of the certificate template properties, specify Windows Server 2003 for the Certification Authority option, and Windows XP / Server 2003 for the Certificate recipient option. (1)
Click on the General tab and rename it to SCCM IIS Certificate.
On the Request Handling tab, verify that Allow private key to be exported is not selected (default).
On the Subject Name tab verify that the Supply in the Request is selected (default).
On the Security tab, add the previously created Active Directory Security Group called SCCM IIS Servers and give it Read and Enroll access. Optionally you can remove Enroll from the Domain Admin and Enterprise Admins as it is mentioned in the docs.
Click Apply to apply the changes and then close the Properties of New Template.
2. SCCM DP Certificate
This template is used by the distribution point site system for Operating System Deployment (clients that are not domain joined). Next, right click on Workstation Authentication from the templates listed and choose Duplicate Template.
The Properties of New Template screen appears. The Properties of New Template screen appears. Verify that the Certificate Authority Compatibility settings are set to Windows Server 2003. Click on the General tab and rename it to SCCM DP Certificate, change the validity period to something more reasonable, like 3 years.
On the Request Handling tab, ensure that Allow private key to be exported is selected to allow us to export the certificate as a pfx file and we need the private key to do so, as we'll import that certificate into our console so that the clients can utilize it during imaging (workgroup members, to authenticate back to your site).
On the Security tab, add the previously created Active Directory Security Group called SCCM IIS Servers and give it Read and Enroll access.
Next, remove Domain Computers altogether.
Click Apply to apply the changes and then close the Properties of New Template.
3. SCCM Client Certificate
This template is used by clients to communicate with site systems. Next, right click on Workstation Authentication from the templates listed and choose Duplicate Template. The Properties of New Template screen appears. The Properties of New Template screen appears. Verify that the Certificate Authority Compatibility settings are set to Windows Server 2003. Click on the General tab and rename it to SCCM Client Certificate, change the validity period to something more reasonable, like 3 years.
Under Subject Name verify that Build from Active Directory is selected. On the Request Handling tab, verify that Allow private key to be exported is not selected (default).
On the Security tab, select Domain Computers and ensure that Read, Enroll and AutoEnroll permisions are selected.
Click Apply to apply the changes and then close the Properties of New Template.
The three SCCM templates are now shown below.
Close the Certificate Templates console.
Next you will issue these certificate templates. To do so, in the Certificate Authority (on the IssuingCA), right click on Certificate Templates and choose New, then Certificate Template to Issue.
In the Enable Certificate Templates window, select the 3 previously created SCCM templates as shown below and click OK.
They will now appear under Certificate Templates.
Step 3. Verify Auto-Enrollment GPO is enabled for the Client Certificate
In Part 8 of the PKI lab you enabled Auto Enrollment so that clients can request certificates automatically. As it is a lab, the setting is deployed in the default domain GPO. The setting is in Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies, and Certificate Services Client - Auto Enrollment.
The setting should look like so (Enabled).
Step 4. Requesting the IIS and DP/OSD Certificates on the IIS Site System
On the SCCM server (CM01), which hosts all those IIS ConfigMgr roles, start certlm.msc from an Administrative command prompt.
if you expand Personal, then Certificates, you'll see certificates issued to that computer, there will be a few by default.
In the administrative command prompt, run
gpupdate /force
to pull down group policy changes...and refresh the view in certlm. Below you can see the SCCM Client Certificate template was used to generate this Client Authentication certificate.
Requesting New certificates
Next, you will request certificates from Active Directory, to do so, right click on Certificates and choose All Tasks then Request New Certificate.
click Next at the Before you begin screen, and verify that Active Directory Enrollment Policy is selected before clicking Next. Select the SCCM DP Certificate and SCCM IIS Certificate from those listed (you already have the SCCM Client Certificate from AutoEnrollment).
You'll notice that for the SCCM IIS Certificate, more information is required to enroll, Click on the message to enter this info.
For Alternative Name, choose the DNS option and then click on Add to add the hostname and fully qualified domain name of your SCCM server (CM01).
Note: If you want this server to be available via IBCM you could also add the publicly available FQDN of the site here (eg: cm01.windowsnoob.com)
Next Click on General, and give this cert a friendly name so we can distinguish it in IIS later when we bind it.
click OK, then click Enroll.
It should state a status of Succeeded for both certificates. If not look at the details to find out what went wrong.
Click Finish to exit.
Step 5. Exporting the Distribution Point certificate
Next you need to export the Distribution Point certificate so that during OSD the client can authenticate to the management point in WinPE. To do that, refresh the view in Certificates (certlm.msc) and then select the client authentication certificate created with the SCCM DP Certificate template.
Right click and choose All Tasks, then select Export. In the welcome to certificate export wizard click Next and choose to export the private key.
stick with the defaults
and give it a password that you will use when you import it back into the SCCM Console, I used P@ssw0rd
Save the cert to your desktop with a filename of OSD Cert.pfx
and continue through that wizard until completion.
You should see that the export was successful.
That's it for this part, please join me in part 2 where we will complete the configuration of SCCM to HTTPS.
In a previous series of guides I showed you how to configure PKI in a lab on Windows Server 2016. In another series, I also showed you how to install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017. In this lab, I will show you how to configure SCCM to utilize that PKI environment.
This series is based upon an excellent video by the talented former Microsoft Premier Field Engineer Justin Chalfant here. If you haven't seen it yet, do check it out.
The intention here is that after you've completed this PKI enabled SCCM lab you can then use this in future guides, and to dig deeper into new technologies from Microsoft, for example enabling a Cloud Management Gateway and/or Cloud Distribution Point and using later on, using Co-Management.
Note: To complete this lab you must first complete the PKI Lab series (8 parts) and then install a new virtual machine within that PKI lab running System Center Configuration Manager (Current Branch) version 1902 utilizing this series, that installation of Configuration Manager will be in HTTP mode. In addition, you must configure the Software Update Point role (in HTTP mode) on CM01 See this guide (step 2 onward) for details. For details how to configure that, see this post. It will take some time to setup but you'll be glad you did. Also, don't do this in production without consulting with a PKI Expert. I don't claim to be one, I'm just helping you get it up and running in a lab. This is intended for use in a lab only.
Step 1 - Create an Active Directory Security Group
In this step you'll create an active directory group which will contain all your site systems that use Configuration Manager server roles which utilize IIS (Internet Information Systems) such as the below (1):
On the Active Directory domain controller (DC01), open Active Directory Users and Computers, and expand the windowsnoob organisational unit (OU) created in this Step 1, part 5 of this blog post.
Click on Security Groups, and then right click and choose New, select Group. Give the group a name, SCCM IIS Servers.
Once done, right click on the SCCM IIS Servers Active Directory Security Group, choose Properties and click on the Members tab, click on Add, for Object Types make sure Computers are selected. Add the Configuration Manager server (CM01) to that group.
Once done, reboot the Configuration Manager server (CM01) using the following command otherwise you might get access denied when trying to request a certificate.
shutdown /rStep 2. Create certificate templates on the Issuing CA
In this step you will create three new certificate templates for use within SCCM by duplicating existing templates. Using the windowsnoob\Entadmin credentials, logon to the Issuing CA server (IssuingCA) and launch the certificate authority console (CertSrv.msc).
In the three templates below, one uses the Web Server template, and the others use the Workstation Authentication template, you can verify which Microsoft certificate template to use by using the tables on the following blog post, of which i'm showing a screenshot below to make it clear.
1. SCCM IIS Certificate
Right click on Certificate Templates and choose Manage.
Scroll down to Web Server from the templates listed.
Right click on the Web Server template and choose Duplicate Template.
The Properties of New Template screen appears. Verify that the Certificate Authority Compatibility settings are set to Windows Server 2003.
Note: When you use an enterprise certification authority and certificate templates, do not use the Version 3 templates (well you can but read this first). These certificate templates create certificates that are incompatible with System Center Configuration Manager. Instead, use Version 2 templates by using the following instructions. On the Compatibility tab of the certificate template properties, specify Windows Server 2003 for the Certification Authority option, and Windows XP / Server 2003 for the Certificate recipient option. (1)
Click on the General tab and rename it to SCCM IIS Certificate.
On the Request Handling tab, verify that Allow private key to be exported is not selected (default).
On the Subject Name tab verify that the Supply in the Request is selected (default).
On the Security tab, add the previously created Active Directory Security Group called SCCM IIS Servers and give it Read and Enroll access. Optionally you can remove Enroll from the Domain Admin and Enterprise Admins as it is mentioned in the docs.
Click Apply to apply the changes and then close the Properties of New Template.
2. SCCM DP Certificate
This template is used by the distribution point site system for Operating System Deployment (clients that are not domain joined). Next, right click on Workstation Authentication from the templates listed and choose Duplicate Template.
The Properties of New Template screen appears. The Properties of New Template screen appears. Verify that the Certificate Authority Compatibility settings are set to Windows Server 2003. Click on the General tab and rename it to SCCM DP Certificate, change the validity period to something more reasonable, like 3 years.
On the Request Handling tab, ensure that Allow private key to be exported is selected to allow us to export the certificate as a pfx file and we need the private key to do so, as we'll import that certificate into our console so that the clients can utilize it during imaging (workgroup members, to authenticate back to your site).
On the Security tab, add the previously created Active Directory Security Group called SCCM IIS Servers and give it Read and Enroll access.
Next, remove Domain Computers altogether.
Click Apply to apply the changes and then close the Properties of New Template.
3. SCCM Client Certificate
This template is used by clients to communicate with site systems. Next, right click on Workstation Authentication from the templates listed and choose Duplicate Template. The Properties of New Template screen appears. The Properties of New Template screen appears. Verify that the Certificate Authority Compatibility settings are set to Windows Server 2003. Click on the General tab and rename it to SCCM Client Certificate, change the validity period to something more reasonable, like 3 years.
Under Subject Name verify that Build from Active Directory is selected. On the Request Handling tab, verify that Allow private key to be exported is not selected (default).
On the Security tab, select Domain Computers and ensure that Read, Enroll and AutoEnroll permisions are selected.
Click Apply to apply the changes and then close the Properties of New Template.
The three SCCM templates are now shown below.
Close the Certificate Templates console.
Next you will issue these certificate templates. To do so, in the Certificate Authority (on the IssuingCA), right click on Certificate Templates and choose New, then Certificate Template to Issue.
In the Enable Certificate Templates window, select the 3 previously created SCCM templates as shown below and click OK.
They will now appear under Certificate Templates.
Step 3. Verify Auto-Enrollment GPO is enabled for the Client Certificate
In Part 8 of the PKI lab you enabled Auto Enrollment so that clients can request certificates automatically. As it is a lab, the setting is deployed in the default domain GPO. The setting is in Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies, and Certificate Services Client - Auto Enrollment.
The setting should look like so (Enabled).
Step 4. Requesting the IIS and DP/OSD Certificates on the IIS Site System
On the SCCM server (CM01), which hosts all those IIS ConfigMgr roles, start certlm.msc from an Administrative command prompt.
if you expand Personal, then Certificates, you'll see certificates issued to that computer, there will be a few by default.
In the administrative command prompt, run
gpupdate /forceto pull down group policy changes...and refresh the view in certlm. Below you can see the SCCM Client Certificate template was used to generate this Client Authentication certificate.
Requesting New certificates
Next, you will request certificates from Active Directory, to do so, right click on Certificates and choose All Tasks then Request New Certificate.
click Next at the Before you begin screen, and verify that Active Directory Enrollment Policy is selected before clicking Next. Select the SCCM DP Certificate and SCCM IIS Certificate from those listed (you already have the SCCM Client Certificate from AutoEnrollment).
You'll notice that for the SCCM IIS Certificate, more information is required to enroll, Click on the message to enter this info.
For Alternative Name, choose the DNS option and then click on Add to add the hostname and fully qualified domain name of your SCCM server (CM01).
Note: If you want this server to be available via IBCM you could also add the publicly available FQDN of the site here (eg: cm01.windowsnoob.com)
Next Click on General, and give this cert a friendly name so we can distinguish it in IIS later when we bind it.
click OK, then click Enroll.
It should state a status of Succeeded for both certificates. If not look at the details to find out what went wrong.
Click Finish to exit.
Step 5. Exporting the Distribution Point certificate
Next you need to export the Distribution Point certificate so that during OSD the client can authenticate to the management point in WinPE. To do that, refresh the view in Certificates (certlm.msc) and then select the client authentication certificate created with the SCCM DP Certificate template.
Right click and choose All Tasks, then select Export. In the welcome to certificate export wizard click Next and choose to export the private key.
stick with the defaults
and give it a password that you will use when you import it back into the SCCM Console, I used P@ssw0rd
Save the cert to your desktop with a filename of OSD Cert.pfx
and continue through that wizard until completion.
You should see that the export was successful.
That's it for this part, please join me in part 2 where we will complete the configuration of SCCM to HTTPS.
cheers
niall
Recommended reading
(1) - https://docs.microsoft.com/en-us/sccm/core/plan-design/network/pki-certificate-requirements
Share this post
Link to post
Share on other sites