mbkowns Posted July 31, 2013 Report post Posted July 31, 2013 Domain A is untrusted by Domain B. Domain A has the working PKI enabled sccm infrastructure, with a operating certificate authority. I want to manage clients from Domain B. I see that I can add the domain forest in the console with an account for discovery that part is straight forward. Also ensuring local admin accounts for pushing the client are created in Domain B and populated in the SCCM infrastructure of Domain A. Again that part is straight forward, but how do I go about getting PKI to work. How do I configure functioning PKI from Domain A to work on Domain B without a domain trust? Do I need another certificate authoirty on Domain B, export the cert and add it to the SCCM infrastructure on Domain A? Is there a way to use a single certificate authority to manage the cross forest untrusted domain? The next question is how do I get auto enrollment to work with the cert on Domain B? thanks for your help! Quote Share this post Link to post Share on other sites More sharing options...
mbkowns Posted August 1, 2013 Report post Posted August 1, 2013 bump Quote Share this post Link to post Share on other sites More sharing options...
txhockeyman Posted May 1, 2017 Report post Posted May 1, 2017 This is exactly my scenario as well, an untrusted cross-forest setup and needing to use PKI as well in the untrusted forest. Nothing I've seen is straightforward on this. Quote Share this post Link to post Share on other sites More sharing options...
txhockeyman Posted May 23, 2017 Report post Posted May 23, 2017 bump again, anyone? Quote Share this post Link to post Share on other sites More sharing options...
svariell Posted May 3, 2022 Report post Posted May 3, 2022 Bringing up an old topic. I'm needing to do this same thing. We have Cert Authorities in both domains. However, the RootCA is from Domain A and the client cert is from Domain B. It's set up in a way that the chain from client cert in Domain B validates with the RootCA from Domain A. However, ConfigMgr won't recognize the client workstation cert as a valid cert, even though the chain looks right. Any ideas? I'd like to get this working. I've since created a MP/DP and working on SUP in Domain B, using all the proper accts from a document I've seen. That all works, but had to move my infrastructure over to EHTTP. Would rather be HTTPS Only. Now that I have the server in Domain B, could I go to HTTPS Only if I created the proper Web Cert in Domain B like is in Domain A? Lots of questions to be asked here. Do you need to place Domain B's Intermediate Cert anywhere? There isn't a lot of documentation out there around this. One thought I was going to bring up with our Admin who takes care of Cert Authority, is why not just have a RootCA for Domain B, instead of the RootCA being from Domain A and anything below be from Domain B. Thank you for the insight in advance. the client workstation change looks like this in Domain B: DomainARoot.com <--RootCA DomainBIntermediate.com <-- Issuing Intermediate in Domain B DomainBClient.com <-- Client workstation Cert Quote Share this post Link to post Share on other sites More sharing options...
