Using Microsoft System Center to Manage beyond the Trusted Domain <br />Pete Zerger, Rory McCaw<br />Principal Consultants...
Agenda <br />Rory<br />Public Key Infrastructure Defined<br />Anatomy of  a Certificate <br />How Does Certificate Authent...
What Is a PKI?<br />The combination of software, encryption technologies, processes, and services that enables an organiza...
Anatomy of a Certificate<br />A certificate is like a Passport<br />Issued for specific uses<br />Server Authentication (1...
Rory<br />How Does Certificate Authentication Work?<br />“Keys” to Success<br /><ul><li> All systems must trust the CA tha...
 Each system requires a cert mapped to their FQDN
  Public keys are distributed with the certificate
 Private keys are never distributed, they are private</li></ul>Agent<br />GW<br />
Certificate Authority Options<br />Rory<br />Standalone CA can be a quick fix  <br /> EnterpriseCA - requires more thought...
Rory<br />Stand-alone versus Enterprise CA on Win2k3<br />Standalone Root CA on W2k3 Standard<br />‘Other’ certificate tem...
Rory<br />Stand-alone versus Enterprise CA on W2k8<br />Standalone Root CA on W2k8 Standard<br />No option to store the ce...
The Certificate Stores <br />Rory<br />Certificates stores<br />Personal Certificate store<br />Trusted Root Certificate A...
Pete <br />Configuration ValidationCertificate Configuration and Validity<br />1. Check for Certificate in Store<br />Loca...
Common Pitfalls<br />Rory<br />Name resolution<br />Confirm that DNS is working or use hosts file<br />IPv6 on Windows Ser...
Using PKI to Extend the Reach of System Center<br />Extend OpsMgr to Windows based workgroup computers<br />Extend OpsMgr ...
Certificate Configuration in OpsMgr<br />Rory<br />Rory McCaw<br />Principal Consultant	<br />Infront Consulting Group<br ...
Pete<br />Certificate Provisioning Options <br />Auto-enrollment is not an option outside trust boundaries  without W2k8*<...
Pete <br />Bulk Certificate Provisioning <br />Manual requests can be time consuming <br />Automation possible from the co...
Bulk Provisioning of Certificates  <br />demo<br />Pete<br />For System Center<br />
Internet-Based Client Management <br />Pete <br />TIP: AD Forest can be separate from site servers and no trust required <...
ConfigMgr Topology Optionsfor Internet-based Client Mgmt<br />
Ops Mgr Mutual Authentication<br />Required in Operations Manager 2007 <br />Two methods: <br />Kerberos  - Requires Activ...
OpsMgr Authentication Troubleshooting Checklist<br />Certificate Configuration<br /><ul><li>Correct OIDs (1.3.6.1.5.5.7.3....
Serial Appears in Registry (MOMCertImport)
Issuing CA Appears in Trusted Root Cert Authorities</li></ul>Connectivity Issues <br /><ul><li>Network Connectivity – Ping...
Name Resolution </li></ul>Review Events in OpsMgr Event Log <br />Start on Downstream Node<br />
Pete <br />Certificate Authentication Events <br />Look for Events in OpsMgr Event Log <br />Relevant events will be in th...
20050 – Enhanced key usage error (wrong OID)
21005 – DNS resolution failed
21006 – TCP Connection failed (at TCP level)
21007 – Not in a trusted domain. (no full trust)</li></ul>Master List of OpsMgr Authentication Errors<br />http://www.syst...
TroubleshootingName Resolution and Connectivity<br />Pete <br />Name Resolution<br />Downstream node must resolve name of ...
Pete <br />Troubleshooting Namespace Issues<br />If using non-routable namespaces across the Internet <br />Establish site...
Pete <br />Troubleshooting Certificates (cont)<br />Verify MOMCertImport successfully wrote certificate serial # to the re...
Cross-Platform Monitoring <br />OpsMgr 2007 R2 extends agent-based monitoring to *NIX systems<br />Can be installed remote...
Upcoming SlideShare
Loading in …5
×

MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain

1,465 views
1,373 views

Published on

Numerous Microsoft technologies are now taking advantage of digital certificate-based authentication to enable the support for and management of systems outside trusted networks and domains. Join us to learn how you can use digital certificates with System Center to extend your management capabilities beyond your immediate environment, and enable a single management infrastructure to manage systems and IT services across multiple trusted and untrusted domains.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,465
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
32
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain

  1. 1.
  2. 2. Using Microsoft System Center to Manage beyond the Trusted Domain <br />Pete Zerger, Rory McCaw<br />Principal Consultants<br />Infront Consulting Group<br />Session Code: MGT300<br />Both<br />
  3. 3. Agenda <br />Rory<br />Public Key Infrastructure Defined<br />Anatomy of a Certificate <br />How Does Certificate Authentication Work?<br />Public Key Infrastructure Differences across Operating Systems <br />Using PKI to Extend the Reach of System Center<br />Changes in Provisioning Certificates in Windows 2008<br />Bulk Certificate Provisioning for System Center<br />Managing Internet-Based Clients with ConfigMgr 2007<br />Troubleshooting Certificates in OpsMgr 2007<br />Monitoring CA and Certificate Validity <br />
  4. 4. What Is a PKI?<br />The combination of software, encryption technologies, processes, and services that enables an organization to secure its communications and business transactions<br />
  5. 5. Anatomy of a Certificate<br />A certificate is like a Passport<br />Issued for specific uses<br />Server Authentication (1.3.6.1.5.5.7.3.1)<br />Client Authentication (1.3.6.1.5.5.7.3.2)<br />To work, the issuer must be a ‘trusted’ authority<br />If some piece of information does not check out – authentication fails<br />
  6. 6. Rory<br />How Does Certificate Authentication Work?<br />“Keys” to Success<br /><ul><li> All systems must trust the CA that issued the certificates
  7. 7. Each system requires a cert mapped to their FQDN
  8. 8. Public keys are distributed with the certificate
  9. 9. Private keys are never distributed, they are private</li></ul>Agent<br />GW<br />
  10. 10. Certificate Authority Options<br />Rory<br />Standalone CA can be a quick fix  <br /> EnterpriseCA - requires more thought, planning and buy-in from across the organization<br />Server OS version is another important consideration. Our recommendation:<br />Use Standard Edition Server for all offline CAs (Root CA, Policy CA). <br />Use Enterprise Edition Server of all online CAs<br />
  11. 11. Rory<br />Stand-alone versus Enterprise CA on Win2k3<br />Standalone Root CA on W2k3 Standard<br />‘Other’ certificate template allows for certificate creation<br />Enterprise Root CA on Enterprise Edition<br />Need to duplicate Server Authentication certificate template to create an OpsMgr template<br />
  12. 12. Rory<br />Stand-alone versus Enterprise CA on W2k8<br />Standalone Root CA on W2k8 Standard<br />No option to store the certificate in the Local Computers certificate store<br />Must use certreq or export from the Local User store and import into the Local Computer store<br />Enterprise CA on W2k8 Enterprise <br />Cross forest authentication allows clients to request a certificate from a CA that is part of a different AD<br />This will require populating the NTAuth store in the additional forests<br />
  13. 13. The Certificate Stores <br />Rory<br />Certificates stores<br />Personal Certificate store<br />Trusted Root Certificate Authorities store<br />Operations Manager store<br />Don’t touch the certificates in this store. This is internally generated.<br />
  14. 14. Pete <br />Configuration ValidationCertificate Configuration and Validity<br />1. Check for Certificate in Store<br />Local Computer/Personal/Certificates<br />2. Verify Certificate Configuration<br />Check for client and server authentication OIDs <br />4. Verify Issuing CA is Trusted <br />Check the Certification Path<br />3. Check for Certificate in Store<br />Local Computer/Personal/Certificates<br />
  15. 15. Common Pitfalls<br />Rory<br />Name resolution<br />Confirm that DNS is working or use hosts file<br />IPv6 on Windows Server 2008 R2 <br />Confirm that IPv6 addresses are registered in DNS<br />Windows Firewall<br />Configure properly or disable<br />Certificate configuration<br />Import Trusted Root CA cert<br />Confirm certs are imported in Local Computer store, not Local User store<br />Run momcertimport.exe with Admin credentials on W2k8<br />CRLs must be accessible<br />
  16. 16. Using PKI to Extend the Reach of System Center<br />Extend OpsMgr to Windows based workgroup computers<br />Extend OpsMgr to separate Active Directory Forest through a gateway<br />Extend OpsMgr to xplat servers<br />Extend Config Mgr to internet based clients<br />
  17. 17. Certificate Configuration in OpsMgr<br />Rory<br />Rory McCaw<br />Principal Consultant <br />Infront Consulting Group<br />demo<br />
  18. 18. Pete<br />Certificate Provisioning Options <br />Auto-enrollment is not an option outside trust boundaries without W2k8*<br />2008 Web Enrollment no longer gives users the option of storing a Machine Certificate in the Local Computer store<br />Advantages of Command Line Provisioning <br />Avoid Web Enrollment Limitations <br />Many certificate properties can be pre-populated <br />Provisioning can be automated to some degree<br />Certificates can be generated in bulk<br />* Cross Forest Authentication in W2k8<br />
  19. 19. Pete <br />Bulk Certificate Provisioning <br />Manual requests can be time consuming <br />Automation possible from the command line<br />Certreq.exe – to make the request<br />Certutil.exe - to process/retrieve the request <br />Can be scripted for batch processing<br />Requires a certificate template<br />TIP: Because they share common OID requirements, OpsMgr 2007 and ConfigMgr 2007 agents can share the same certificate<br />
  20. 20. Bulk Provisioning of Certificates <br />demo<br />Pete<br />For System Center<br />
  21. 21. Internet-Based Client Management <br />Pete <br />TIP: AD Forest can be separate from site servers and no trust required <br />
  22. 22. ConfigMgr Topology Optionsfor Internet-based Client Mgmt<br />
  23. 23. Ops Mgr Mutual Authentication<br />Required in Operations Manager 2007 <br />Two methods: <br />Kerberos - Requires Active Directory <br />Certificate Authentication <br />Update Topology<br />Ok<br />Update Topology<br />Request to<br />Join<br />X<br />
  24. 24. OpsMgr Authentication Troubleshooting Checklist<br />Certificate Configuration<br /><ul><li>Correct OIDs (1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2)
  25. 25. Serial Appears in Registry (MOMCertImport)
  26. 26. Issuing CA Appears in Trusted Root Cert Authorities</li></ul>Connectivity Issues <br /><ul><li>Network Connectivity – Ping, Telnet 5723
  27. 27. Name Resolution </li></ul>Review Events in OpsMgr Event Log <br />Start on Downstream Node<br />
  28. 28. Pete <br />Certificate Authentication Events <br />Look for Events in OpsMgr Event Log <br />Relevant events will be in the 20,000 and 21,000 ranges<br /><ul><li>21016 / 20070 – Generic event with every authentication failure.
  29. 29. 20050 – Enhanced key usage error (wrong OID)
  30. 30. 21005 – DNS resolution failed
  31. 31. 21006 – TCP Connection failed (at TCP level)
  32. 32. 21007 – Not in a trusted domain. (no full trust)</li></ul>Master List of OpsMgr Authentication Errors<br />http://www.systemcentercentral.com/teched<br />
  33. 33. TroubleshootingName Resolution and Connectivity<br />Pete <br />Name Resolution<br />Downstream node must resolve name of upstream node by FQDN<br />Gateway must resolve FQDN of Mgmt Server<br />Agent must resolve FQDN of Gateway<br />Agent must resolve FQDN of Mgmt Server (if no GW)<br />Network Connectivity <br />Verify Agent or Gateway Server can telnet to management server on port 5723<br />Connection is instantiated by downstream component<br />
  34. 34. Pete <br />Troubleshooting Namespace Issues<br />If using non-routable namespaces across the Internet <br />Establish site-to-site VPN tunnel OR<br />Use HOSTS file on Gateway to resolve Management Server<br />ms.contoso.local<br />gtw.contoso.local<br />Internet<br />
  35. 35. Pete <br />Troubleshooting Certificates (cont)<br />Verify MOMCertImport successfully wrote certificate serial # to the registry<br />HKLMSOFTWAREMicrosoftMicrosoft Operations Manager3.0Machine SettingsChannelCertificateSerialNumber<br />Compare to certificate serial number on certificate in Local Computer Certificate Store<br />If wrong serial, delete the key and re-run MOMCertImport<br />Run momcertimport.exe as an Administrator<br />
  36. 36. Cross-Platform Monitoring <br />OpsMgr 2007 R2 extends agent-based monitoring to *NIX systems<br />Can be installed remotely from the console<br />Target *NIX systems can be outside Kerberos boundary<br />Rory<br />
  37. 37. demo<br />Cross Platform Agent Deployment in OpsMgr<br />Rory McCaw<br />Principal Consultant <br />Infront Consulting Group<br />
  38. 38. OpsMgr Cross-Platform Issues <br />Rory<br />Ports<br />TCP 22 (Discovery with SSH)<br />TCP 1270 (Agent Communication via WS-Man)<br />Certificate Errors<br />Prerequisite Issues<br />Hostname mismatch<br />WinRM Errors <br />Basic Authentication Not Enabled <br />winrm set winrm/config/client/auth @{Basic=&quot;true&quot;}<br />Run As Execution <br />Unix Action Account and Unix Privileged Account <br />
  39. 39. Monitoring CA Health<br />Rory<br />PKI Health Tool Monitors CA Health and Current Activity <br />Included in Windows 2008 OS <br />Provides Visual Indicators of Health<br />To launch: Start  Run  PKIView.msc<br />CRL Distribution Points <br />Enterprise CA Hierarchy<br />Authority Information Access (AIA)<br />
  40. 40. Monitoring Certificate Health<br />Rory<br />All Certificates have an Expiration Date<br />Certificate validity can be monitored with Operations Manager<br />No off-the-shelf Microsoft Solution <br />Solution: PKI Certificate Verification MP<br />Alerts on Certificate Health Issues Including:<br />A certificate’s lifetime is about to expire <br />A certificate’s lifetime has ended <br />Certificate has been revoked <br />Root Cert<br />OM Cert<br />CRL<br />X<br />
  41. 41. Birds of a feather session on Thursday System Center Questions... Answered!!<br />announcing<br />
  42. 42. question & answer<br />
  43. 43. Required Slide<br />Speakers, <br />TechEd 2009 is not producing <br />a DVD. Please announce that <br />attendees can access session <br />recordings at TechEd Online. <br />www.microsoft.com/teched<br />Sessions On-Demand & Community<br />www.microsoft.com/learning<br />Microsoft Certification & Training Resources<br />http://microsoft.com/technet<br />Resources for IT Professionals<br />http://microsoft.com/msdn<br />Resources for Developers<br />Resources<br />
  44. 44. Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!<br />
  45. 45.
  46. 46. Required Slide<br />© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.<br />The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.<br />

×