Jump to content


cross forest domain + PKI + SCCM 2012

Recommended Posts

Domain A is untrusted by Domain B. Domain A has the working PKI enabled sccm infrastructure, with a operating certificate authority. I want to manage clients from Domain B. I see that I can add the domain forest in the console with an account for discovery that part is straight forward. Also ensuring local admin accounts for pushing the client are created in Domain B and populated in the SCCM infrastructure of Domain A. Again that part is straight forward, but how do I go about getting PKI to work.


How do I configure functioning PKI from Domain A to work on Domain B without a domain trust?


Do I need another certificate authoirty on Domain B, export the cert and add it to the SCCM infrastructure on Domain A?


Is there a way to use a single certificate authority to manage the cross forest untrusted domain?


The next question is how do I get auto enrollment to work with the cert on Domain B?



thanks for your help!




Share this post

Link to post
Share on other sites

Bringing up an old topic.  I'm needing to do this same thing.  We have Cert Authorities in both domains.  However, the RootCA is from Domain A and the client cert is from Domain B.  It's set up in a way that the chain from client cert in Domain B validates with the RootCA from Domain A.  However, ConfigMgr won't recognize the client workstation cert as a valid cert, even though the chain looks right.  Any ideas?  I'd like to get this working.  I've since created a MP/DP and working on SUP in Domain B, using all the proper accts from a document I've seen.  That all works, but had to move my infrastructure over to EHTTP.  Would rather be HTTPS Only.  Now that I have the server in Domain B, could I go to HTTPS Only if I created the proper Web Cert in Domain B like is in Domain A?  Lots of questions to be asked here.  Do you need to place Domain B's Intermediate Cert anywhere?  There isn't a lot of documentation out there around this.  One thought I was going to bring up with our Admin who takes care of Cert Authority, is why not just have a RootCA for Domain B, instead of the RootCA being from Domain A and anything below be from Domain B.  Thank you for the insight in advance.

the client workstation change looks like this in Domain B:
DomainARoot.com <--RootCA

DomainBIntermediate.com <-- Issuing Intermediate in Domain B

DomainBClient.com <-- Client workstation Cert

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...