Your SlideShare is downloading. ×
MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain


Published on

Numerous Microsoft technologies are now taking advantage of digital certificate-based authentication to enable the support for and management of systems outside trusted networks and domains. Join us …

Numerous Microsoft technologies are now taking advantage of digital certificate-based authentication to enable the support for and management of systems outside trusted networks and domains. Join us to learn how you can use digital certificates with System Center to extend your management capabilities beyond your immediate environment, and enable a single management infrastructure to manage systems and IT services across multiple trusted and untrusted domains.

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1.
  • 2. Using Microsoft System Center to Manage beyond the Trusted Domain
    Pete Zerger, Rory McCaw
    Principal Consultants
    Infront Consulting Group
    Session Code: MGT300
  • 3. Agenda
    Public Key Infrastructure Defined
    Anatomy of a Certificate
    How Does Certificate Authentication Work?
    Public Key Infrastructure Differences across Operating Systems
    Using PKI to Extend the Reach of System Center
    Changes in Provisioning Certificates in Windows 2008
    Bulk Certificate Provisioning for System Center
    Managing Internet-Based Clients with ConfigMgr 2007
    Troubleshooting Certificates in OpsMgr 2007
    Monitoring CA and Certificate Validity
  • 4. What Is a PKI?
    The combination of software, encryption technologies, processes, and services that enables an organization to secure its communications and business transactions
  • 5. Anatomy of a Certificate
    A certificate is like a Passport
    Issued for specific uses
    Server Authentication (
    Client Authentication (
    To work, the issuer must be a ‘trusted’ authority
    If some piece of information does not check out – authentication fails
  • 6. Rory
    How Does Certificate Authentication Work?
    “Keys” to Success
    • All systems must trust the CA that issued the certificates
    • 7. Each system requires a cert mapped to their FQDN
    • 8. Public keys are distributed with the certificate
    • 9. Private keys are never distributed, they are private
  • 10. Certificate Authority Options
    Standalone CA can be a quick fix  
     EnterpriseCA - requires more thought, planning and buy-in from across the organization
    Server OS version is another important consideration. Our recommendation:
    Use Standard Edition Server for all offline CAs (Root CA, Policy CA).
    Use Enterprise Edition Server of all online CAs
  • 11. Rory
    Stand-alone versus Enterprise CA on Win2k3
    Standalone Root CA on W2k3 Standard
    ‘Other’ certificate template allows for certificate creation
    Enterprise Root CA on Enterprise Edition
    Need to duplicate Server Authentication certificate template to create an OpsMgr template
  • 12. Rory
    Stand-alone versus Enterprise CA on W2k8
    Standalone Root CA on W2k8 Standard
    No option to store the certificate in the Local Computers certificate store
    Must use certreq or export from the Local User store and import into the Local Computer store
    Enterprise CA on W2k8 Enterprise
    Cross forest authentication allows clients to request a certificate from a CA that is part of a different AD
    This will require populating the NTAuth store in the additional forests
  • 13. The Certificate Stores
    Certificates stores
    Personal Certificate store
    Trusted Root Certificate Authorities store
    Operations Manager store
    Don’t touch the certificates in this store. This is internally generated.
  • 14. Pete
    Configuration ValidationCertificate Configuration and Validity
    1. Check for Certificate in Store
    Local Computer/Personal/Certificates
    2. Verify Certificate Configuration
    Check for client and server authentication OIDs
    4. Verify Issuing CA is Trusted
    Check the Certification Path
    3. Check for Certificate in Store
    Local Computer/Personal/Certificates
  • 15. Common Pitfalls
    Name resolution
    Confirm that DNS is working or use hosts file
    IPv6 on Windows Server 2008 R2
    Confirm that IPv6 addresses are registered in DNS
    Windows Firewall
    Configure properly or disable
    Certificate configuration
    Import Trusted Root CA cert
    Confirm certs are imported in Local Computer store, not Local User store
    Run momcertimport.exe with Admin credentials on W2k8
    CRLs must be accessible
  • 16. Using PKI to Extend the Reach of System Center
    Extend OpsMgr to Windows based workgroup computers
    Extend OpsMgr to separate Active Directory Forest through a gateway
    Extend OpsMgr to xplat servers
    Extend Config Mgr to internet based clients
  • 17. Certificate Configuration in OpsMgr
    Rory McCaw
    Principal Consultant
    Infront Consulting Group
  • 18. Pete
    Certificate Provisioning Options
    Auto-enrollment is not an option outside trust boundaries without W2k8*
    2008 Web Enrollment no longer gives users the option of storing a Machine Certificate in the Local Computer store
    Advantages of Command Line Provisioning
    Avoid Web Enrollment Limitations
    Many certificate properties can be pre-populated
    Provisioning can be automated to some degree
    Certificates can be generated in bulk
    * Cross Forest Authentication in W2k8
  • 19. Pete
    Bulk Certificate Provisioning
    Manual requests can be time consuming
    Automation possible from the command line
    Certreq.exe – to make the request
    Certutil.exe - to process/retrieve the request
    Can be scripted for batch processing
    Requires a certificate template
    TIP: Because they share common OID requirements, OpsMgr 2007 and ConfigMgr 2007 agents can share the same certificate
  • 20. Bulk Provisioning of Certificates
    For System Center
  • 21. Internet-Based Client Management
    TIP: AD Forest can be separate from site servers and no trust required
  • 22. ConfigMgr Topology Optionsfor Internet-based Client Mgmt
  • 23. Ops Mgr Mutual Authentication
    Required in Operations Manager 2007
    Two methods:
    Kerberos - Requires Active Directory
    Certificate Authentication
    Update Topology
    Update Topology
    Request to
  • 24. OpsMgr Authentication Troubleshooting Checklist
    Certificate Configuration
    • Correct OIDs (,
    • 25. Serial Appears in Registry (MOMCertImport)
    • 26. Issuing CA Appears in Trusted Root Cert Authorities
    Connectivity Issues
    • Network Connectivity – Ping, Telnet 5723
    • 27. Name Resolution
    Review Events in OpsMgr Event Log
    Start on Downstream Node
  • 28. Pete
    Certificate Authentication Events
    Look for Events in OpsMgr Event Log
    Relevant events will be in the 20,000 and 21,000 ranges
    • 21016 / 20070 – Generic event with every authentication failure.
    • 29. 20050 – Enhanced key usage error (wrong OID)
    • 30. 21005 – DNS resolution failed
    • 31. 21006 – TCP Connection failed (at TCP level)
    • 32. 21007 – Not in a trusted domain. (no full trust)
    Master List of OpsMgr Authentication Errors
  • 33. TroubleshootingName Resolution and Connectivity
    Name Resolution
    Downstream node must resolve name of upstream node by FQDN
    Gateway must resolve FQDN of Mgmt Server
    Agent must resolve FQDN of Gateway
    Agent must resolve FQDN of Mgmt Server (if no GW)
    Network Connectivity
    Verify Agent or Gateway Server can telnet to management server on port 5723
    Connection is instantiated by downstream component
  • 34. Pete
    Troubleshooting Namespace Issues
    If using non-routable namespaces across the Internet
    Establish site-to-site VPN tunnel OR
    Use HOSTS file on Gateway to resolve Management Server
  • 35. Pete
    Troubleshooting Certificates (cont)
    Verify MOMCertImport successfully wrote certificate serial # to the registry
    HKLMSOFTWAREMicrosoftMicrosoft Operations Manager3.0Machine SettingsChannelCertificateSerialNumber
    Compare to certificate serial number on certificate in Local Computer Certificate Store
    If wrong serial, delete the key and re-run MOMCertImport
    Run momcertimport.exe as an Administrator
  • 36. Cross-Platform Monitoring
    OpsMgr 2007 R2 extends agent-based monitoring to *NIX systems
    Can be installed remotely from the console
    Target *NIX systems can be outside Kerberos boundary
  • 37. demo
    Cross Platform Agent Deployment in OpsMgr
    Rory McCaw
    Principal Consultant
    Infront Consulting Group
  • 38. OpsMgr Cross-Platform Issues
    TCP 22 (Discovery with SSH)
    TCP 1270 (Agent Communication via WS-Man)
    Certificate Errors
    Prerequisite Issues
    Hostname mismatch
    WinRM Errors
    Basic Authentication Not Enabled
    winrm set winrm/config/client/auth @{Basic="true"}
    Run As Execution
    Unix Action Account and Unix Privileged Account
  • 39. Monitoring CA Health
    PKI Health Tool Monitors CA Health and Current Activity
    Included in Windows 2008 OS
    Provides Visual Indicators of Health
    To launch: Start  Run  PKIView.msc
    CRL Distribution Points
    Enterprise CA Hierarchy
    Authority Information Access (AIA)
  • 40. Monitoring Certificate Health
    All Certificates have an Expiration Date
    Certificate validity can be monitored with Operations Manager
    No off-the-shelf Microsoft Solution
    Solution: PKI Certificate Verification MP
    Alerts on Certificate Health Issues Including:
    A certificate’s lifetime is about to expire
    A certificate’s lifetime has ended
    Certificate has been revoked
    Root Cert
    OM Cert
  • 41. Birds of a feather session on Thursday System Center Questions... Answered!!
  • 42. question & answer
  • 43. Required Slide
    TechEd 2009 is not producing
    a DVD. Please announce that
    attendees can access session
    recordings at TechEd Online.
    Sessions On-Demand & Community
    Microsoft Certification & Training Resources
    Resources for IT Professionals
    Resources for Developers
  • 44. Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
  • 45.
  • 46. Required Slide
    © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
    The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.