Part 11: ConfigMgr (SCCM) HTTPS/PKI Configuration

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

https communication in our configuration manager lab even if you don't configure https in your configuration manager lab still you can learn a lot however if you would like to expand your learning further there are no set limits configuring https will open more parts towards this learning experience hello everyone this is jay singh welcome to my channel technic solutions if you are new to this channel hit the subscribe button and also click on the bell icon as well to get all the latest updates from this channel any links mentioned in this video you will find in the description below let's get started okay so before we proceed further with this video i would like to mention that i have configured and performed some of the settings which were demonstrated in my previous video series so i will show you so if you look at this is the video series i did client push install and it worked fine and also i have tested operating system deployment and i have configured secm reporting services and if i scroll down and i have also configured software update point as well and i have tested manual software updates which worked fine prerequisites for https communication so the very first prerequisite is public key infrastructure so you must have public key infrastructure so you can configure certificates you can issue certificates and then you can use these certificates to enroll or you might have to export some of the certificates where we need to actually import these certificates in the configuration manager console so in this video i'm going to show you how you can utilize active directory certificate services to achieve this task pki public infrastructure has certain requirements for configuration manager so the certificate must be signed with sha2 and also the key length that we will use it has to be minimum length so the length is mentioned in microsoft documentation in this video i'm going to use 2048 which will fit in the most scenarios that you need for configuration manager so let's have a quick look at the documentation which is provided by microsoft so this is a document you will find in the description below so you can see that there's information provided here that about the public key infrastructure apart from that the important part here which is mentioned that you need sha2 and the public key and the length is mentioned as well so you will find that length mentioned it's not mentioned here actually so sha sha 256 is mentioned here um length you will find here in pki certificates for servers so the length if i go here for example this certificate and this is for web server so the length will be mentioned okay for that search there's no length mentioned so we scroll down and web server here and this is uh for cloud-based distribution point and the length you can see here supported key lengths four zero nine six bits and here we have server authentication for sql server and maximum supported key length so this is the maximum length it supports two zero four eight and if we keep scrolling down this is a client authentication we will talk about it more in this video so that's workstation authentication template and the length of maximum length it supports 2048 so what we will be using 2048 in this video and this will fit in most of the scenarios for active directory certificate services i have configured a dedicated server so this server will be used as cert authority or certificate authority or you can call it a ca so if you have limited resources for example you do not have hardware there's a limit on the ram how much ram you have how much storage you have and so you can utilize any other member server within the lab however in production you will have a dedicated server so if for example if you have dc01 for example we configured in this video series you can utilize that dc01 as your certificate authority so i have configured a virtual machine installed windows server 2019 standard on it and i will show you the my vm configuration if you would like to configure a dedicated server you can do that otherwise you can utilize any other member server in your lab so i will show you what is the configuration of my virtual machine so if i open hyper-v manager and tech next ca so this is the virtual machine that i have configured if i go to settings and this is a gen 2 virtual machine and memory i have provided it 2gb later on i'm going to drop it down to 1gb so for now it is 2048 because we are going to work on it and um so storage i have given it about i think 30 gb or 40 gb and network adapter is important i have configured int 0 1 for this virtual machine so in01 is what i have been using in my lab configuration manager server has int one connected as well and here you can see that and this is zero one it has also int001 connected all right so once you have made a decision either you want to create a new certificate authority dedicated server or you want to utilize your existing member server and then the next step is we're going to configure our active directory in active directory we will create a new computer account a user account and if we need any other group we will create that as well so let's do that on teknex dc01 all alright so here i will log on to dc01 and uh i will open active directory users and computers so here what i'm going to do i'm going to create a new computer object for my virtual machine which i created a dedicated server for certificate authority if you want to use your member server you don't have to do that you can skip that part so i will click on teknex computers extend that and we have member servers so here i will create a new computer object and i will name it t e k n e x dash c a o one so tech next dash c o one click ok so this computer object is ready and also i'm going to create a dedicated user for that as well which i will use to log on to ca01 so in technex users in administrative users i will create a new user i will select user here and i will name it ca and last name i will name it admin and user logon c a admin and click next here and then provide password twice and i will also check this these two boxes user cannot change password password never expires click next and click finish so our user is ready as well and also this ca admin account i will double click on that and i will go to member off and i'm going to add it to a member group which is domain admins so domain admins check names click ok hit apply click ok and now i said earlier that we might have to create a new group so we need a group for our ias servers so we will create a new group here and i will create a group and we will name it cm iis servers and you have to add any server any site server which has iis role installed on it in our case we have only one server which is technext.cm01 and we are going to add it in this group so we will right click here and we will go to properties and members add object types make sure you tick these computers here so click ok and type here technex dash cm01 and check names and then click ok hit apply and click ok here so we will use this group when we provide permissions for certificate enrollment okay so our active directory is ready next step is we will prepare our ca server if you're utilizing your member server like dc01 you don't have to perform this step so in this step we are going to give cs server a static ip and domain join it to our domain so let's do that so here i have logged on to ca01 and uh what i'm going to do here in local server i will change its ip address so in ethernet ipv4 it's given by the hcp server i'm going to make sure that it has static ip address so i will use the following okay so the ip address is 1004 subnet mask 255 255 and default gateway is um 1002 that's ip address of our dc01 and dns is dc01 as well which is 1002 click ok and click close so once you have given the static ip make sure you go here and open powershell and try pinging to technex.local or your domain so you should get a reply back here you go it's resolving the ip address which means it's the dns of this device is working correctly so i will minimize that and close this one so click on computer name and now in this step i'm going to domain join this computer so i will click on change and computer name is technex ca01 and domain is technex.local and click ok it will prompt for administrator username and password so i'm using my administrator account and provided the password and click ok so welcome to the tech next.local domain click ok we will restart it and i will come back and login with the username which we created which is ca admin so click ok click close restart now so once our ca server is ready so the next step we are going to do in this step we are going to add active directory certificate services role so let's do that all right so this is ca01 i have logged in with this account which is ca admin so in server manager we will click on add roles click next and roll base or feature based installation click next so server this server is selected teknex dash ca01 click next so roles very first one active directory certificate services select that and these are the management tools we are going to select add features and click next so click next again next again enroll services we will select only certificate authority which is already pre-checked so click next so that's the confirmation and we can tick this box it's not going to restart so click install i will be back as soon as this is ready okay so this is ready it took about one two minutes i will click on close all right so once active directory certificate services is installed the next step is to configure that so now we are going to configure active directory certificate services okay so i have logged on to teknex ca01 and you can see that in server manager we have yellow triangle here so if you click on yellow triangle we have an option to configure active directory certificate services so click on that okay so here the credentials so this is very important so this account has to be a member of enterprise admins group so i'm pretty sure the account that we are using here ca admin is not part of enterprise admins so we can check who is the member who is a member of this group so you can log on to dc01 and check it out or you can use a powershell to check it out so i will quickly use a powershell to check this out okay so in powershell i will enter ps session to technex dc01 and the account that i'm using ca admin this account is a domain admin so it is able to log on to dc01 so let's go back and i'm going to clear here and we would like to check ad group group member actually so the group member identity of that group is enterprise admins okay so we have get ad group member identity enterprise admins if i hit enter you can see that these two members so name cm admin is part of that group and administrator account is part of that group so what i will do i will change here and i will enter the username administrator and password for that user okay so this user is populated here so we will click next so the role services is certificate authority so click next again so setup type it's enterprise ca this is not a standalone ca so we will select enterprise ca and click next so next option is ca type it's a root ca not subordinate because this is very first ca in our domain so we will select the root ca click next private key create a new private key click next cryptography so this is what we were talking about earlier so sha 256 is auto selected and key length is 2048 okay so we'll select that and click next so see in name you can update that name so i will get rid of that first bit so it's technext.ca01-ca and click next so validated period five years it's plenty and click next certificate database i will leave it as it is click next and this is the confirmation and these are the options we have selected so we will click on configure and we are done so we will click on close our certificate authority is ready to be used so now we are going to configure certificate templates so we are going to configure all together three certificate templates so the first one is going to be client authentication template so that template will be used by clients to communicate with the sites which are https enabled the second certificate template it will be for our distribution point so distribution point it this will use it for two purposes so the first one would be distribution point it will use it to communicate with any management point which is https enabled so the second purpose is this will be used by pxc enabled client to communicate with https enabled management point so the third one we are going to use for our configuration manager iis servers so this certificate this will encrypt the data and this will authenticate servers to the clients so let's log on to our certificate authority and configure those templates so in tech next sc a01 or the certificate authority role where you have installed and configured so click on tools and we are going to select very first option which is certification authority click on that here we will click on tech next as caa01 so extend that we have these different options so on certificate templates right click click on manage so this will open a new window so in this window we have all these available templates so the template that for the first one we are going to use is workstation authentication so right click on that and select duplicate template and this will open this visit so here what we are going to do we are going to leave everything default except two options so general so give it a name and i will name it cm client certificate and we will update the security so security you can see that domain computers so domain computers they have in role permission enroll permission is checked here so what we are going to do is we are going to provide read permission and auto enroll permission and basically that's all so we can click here apply and click ok so you will see cm client certificate is ready here so again we're going to select workstation authentication right click duplicate template and in general we will update the name so i will name it cmdp certificate validity i'm not changing it i'm leaving one here and we will select request handling so this is very important here we have to tick this box allow private key to be exported and then we will update security so we can remove domain computers we don't need these computers here so click on remove we will add here our ias server group so cm iis servers so i will click on check names you can see that this is populated and our configuration manager server is part of this group click ok and we are going to provide read permissions and also we are going to provide this enroll permission and also microsoft recommends to remove permissions which domain admin has so domain admins group this has enrolled permission we will undo that and enterprise that means they have enroll permissions too so we can uncheck that as well so we will click apply and click ok so this is ready as well which is cm dp certificate so the next certificate we need for cm ias servers so we will select web server as a template right click select to duplicate and in general we will update the name here so i will name it cm ias servers certificate and we will update security as well so we will select security in security we will add cm ias servers so check names click ok and we will provide enroll permissions read and enroll is checked and for domain admins we can remove enroll and enterprise that means we can remove enroll as well okay so this looks pretty good and we will click on apply and also subject name so you can see that supply in the request is selected so i haven't changed anything else and we will click ok ok so our certificate templates are ready so what we have to do we have to issue these templates so in certificate authority here we will right click on certificate templates click new and certificate template to issue so click on that and here from the list we will select these three certificate templates so we have cm client certificate cmdp certificate cm iis servers certificate click ok on that and that's it so this is done we can see in certificate template cm is servers dp and client certificate listed here all right so once our certificate templates are ready so they're ready to enroll issue or we have to export for applicable so let's have a look at that how we can do this so the first one we are going to do the client authentication certificate so for that one we have to use a gpo so on dc01 we are going to create a gpo and let's have a look at that how we can do it okay so i have logged on to tech next dc01 i will click on tools server manager is open so in tools we will select group policy management so it's here click on that okay so what we are going to do we are going to create a new group policy object so i am going to create a new group policy object then i am going to link it to technex computers so i will create a new group policy object and i will name it c underscore client authentication search so either you can add to your existing group policy object it's up to you so i'm going to create a new one here so click ok and this is available right here i will right click and select edit so this is a computer based policy and we will hear select policies under computer configuration extend that windows settings and then in windows settings we are going to extend further security settings so in security setting we have public key policies double click on that and we will find this policy at the end certificate services client auto enrollment so double click on that we are going to enable this and here we are going to check this renew expired certificate and check this as well update certificates that use certificate templates click apply click ok basically that is all so i will close this and now what we are going to do we are going to link this policy so here so on technex computers so remember one thing that we have to link this policy to any site server which has management points role installed as well so which means this certificate has to be installed on the member server on the site server which has management point role installed so in our case we have member servers where we have our configuration manager server there's only one server and it has management point role installed so that server definitely needs this client certificate as well so this is why i'm linking it at the top technex computers so this will install this client certificate on all the machines within technex computers organizational unit so right click here link an existing gpo and we will select client authentication search i will click ok on that and i will right click here and let's just update group policy click yes and also we can test this out so to do that we can minimize this we'll go back and log on to pc 0 1 or 0 2 so i have two computers there before we do gp update i would like to show you the local machine search so what we will do we can open local machine search with cert lm dot msc click ok and say yes to it so we can see that local computer certificates so in personal so you can see that nothing is there okay so that policy hasn't kicked in yet so we will do gp update so we will type gp update forward slash force and click ok it's updating the policy and here what we can do we can refresh it so in some cases you might have to restart the device as well so certificates there you go so it actually came across so this is a client authentication certificate okay so now the next part is we have two more certificates one is for distribution point and other one is for our ias servers so what we are going to do we will log on to cm01 so technexcm01 and here we are going to enroll these two certificates you know that we have made a group membership change so which means we might have to restart this server so otherwise maybe we won't be able to enroll these certificates so what i'm going to do quickly i'm going to close this everything here and i will give it a quick reboot all right so i have restarted cm01 so i will open cert lm dot msc to see local computer certificates say yes to it and here we have local computer personal store and certificates so we should get that client certificate which is listed right here so we can see that technext.ca01 that's ca client authentication so which is good and also in trusted root certification authorities we will see technex ca01 listed as well so let's come back to personal certificates and right click here and we are going to all tasks and request new certificate so here click next again and active directory enrollment policy and then click next so here we can see that we have few certificates which we have permission on so we can select cmdp certificate and also cm ias server certificate so here we will provide more information so select that and in alternative name here we will select dns and provide computer name so which is technex that cm01 so this is the computer name of oversight server say add and also we will provide fully qualified domain name as well so which is technexdashcm01.technex.local so click add and also we will provide a general name as well so friendly name so i will name it cm ias servers certificate okay so once we have provided this information in subject and general hit apply click ok and click on enroll so i have selected cmdp certificate and provided extra information for cm ias servers certificate so click on enroll and it has succeeded click finish okay so now we can see that dp certificate is there cm client certificate is there which is came across with the help of group policy and we have ias servers certificate is available as well and also you may have remembered for cmdp certificate we allowed exporting of the private key so what we are going to do here is we right click here and then all tasks and we are going to export it so select export click next here yes export the private key as well so click next and we are selecting personal information exchange so here we will uncheck that and we will only select include all certificates in the certification path if possible so click next here and provide a password and then click next and here we will select a file name i will save it on the same server in documents and here we will name it dp certificate and click save so click next and finish the export was successful click ok ok so now we have requested certificate we exported and also we have issued certificate with the group policy so the next part here is we are going to now configure our ias server and wsr server to use https so this is what we are going to do on our configuration manager server where is server is available and wsus role is installed let's have a look at that how we can do it okay so i'm on cm01 and what i will do i will go to tools and let's open ias manager so in is manager i will extend here and we can see that site let's extend sites we can see default website and ws administration so let's update default website first select default website and in actions select bindings and here in 443 click edit and we will select here ssl certificate and we will select cmis servers certificate and click ok on that and click close so now what we can do if you open internet explorer and if you do https and we will say technex cm01 and hit enter so you can see that this is working if you click here and view certificate and certification path you can see that this has been provided to tech next cm01 so click ok on that and also we can test for fully qualified domain as well dot technex dot local so hit enter and this is resolved so which is good and same thing we will do for wsus administration select that and select bindings and here 8543 port https click edit and we will edit here ssl certificate and extend that and we will select cm ias servers certificate and click ok and close all right so with wsus uh we have to do slightly more than what we have done for default website option so here let's have a look at this documentation from microsoft with wsus for https so they recommend to perform the following steps here you can see that for api remote 30 client web service dss auth web service server sync web service and simple auth web service so we have to go to properties and then we have to update the require ssl and ensure that ignore client certificate is selected okay so let's just do that so let's go back to cm01 and api remoting 30 and here we will select ssl settings double click on that require ssl and hit apply and same thing we are going to do for client web service as well so ssl settings double click here and require ssl ignore make sure this is um selected hit apply and dss auth web service so we will select ssl settings and require ssl hit apply and then server sync web service so we will select ssl settings double click on that and require ssl click apply and simple auth web service same thing we are going to do double click ssl require ensure this is selected and hit apply okay so this is uh done here within iis however we have to make sure that we will enable ssl for wsus to do that we will open file explorer and go to local disk c and this is where we have installed wss role so program files and then we have update services here so in update services we will find tools so we have wssutil.exe so click on file and open with powershell as administrator say yes to that and uh if you type wsutil or wsus and hit tab and then forward slash with question mark so you can see that this is the help file here so we would like to configure ssl okay so i'm going to select that let's paste here let's see what the help says okay this didn't work because for a reason so we have to type ws and then help configure ssl so dot backslash was missing so that's why we have seen this error so hit enter so we can see this help here so in example we can see that enable ssl on the wsus web service if you just type wsutil and for the current machine from the machine where you run it however if you want to ensure that it's configured properly and it uses fully qualified domain name so it's better that we run this one so wsu till configure ssl ws dot this stuff this is a fully qualified domain name for this example however in our case we have a different fully qualified domain name so we will run this utility so i will clear this one here so just type ws and then hit tab so you will see this wssutil.exe and we will type configure ssl and type in fully qualified domain name so technex.cm01.technex dot local so make sure you type it correctly and then hit enter so okay so here you can see that url https technext.cm01.technex.local and eight five three one is the port okay so this is done okay so all the hard work is now done so now what we have to do we have to open configuration manager console and update our site so let's do that on technext.cm01 so here i am on technextaskcm01 in configuration manager console i will change it to administration and then we will look at site configuration and then click on sites so you will see your site listed here i will right click here and then we will go to properties so in properties we have communication security so here we can change it to https all right so here we have an option either to go on https fully or still we can utilize http or https where available so i would suggest to use the second option http and https to start with and later on you can fully go on https mode so let's uh just tick that box here so use pki certificate where when available so tick that box and so basically that's all we have to do here we can come back we have to update trusted root certification authority for our pxc deployment okay so pxc boot might not work if you have not provided trusted root certification authorities here okay so you have to set it here so we'll come back to this so hit apply here and then click ok and also with site server roles so just change to server and site system roles and let's update our distribution point so for our distribution point we have to use the certificate which we exported earlier so right click and we will go to properties and in properties we will change it to communication here we will select https so allow intranet only we do not have anything else configured this is why we have just one option and here we have an option to import certificate so click on browse i will select documents and dp certificate and provide the password here so i will type in the password and hit apply okay looks good here so we will click ok on that alright so distribution point is ready as well for https so now i am going to update software update point so that it can communicate over https as well in the servers and site system roles i will select software update point here right click and click on properties in general check this box require ssl communication for wsas and click apply on this and click ok however the way management point works is it is slightly different so when we change it over to https it is going to reinstall that role so we have to look at some logs for that so let's have a look at those logs first so i will open file explorer and we will go to where configuration manager is installed in my case it is installed in d drive so double click on that program files microsoft configuration manager and we will head over to logs so in logs we will look for mp setup so mp setup is here so double click on that so this has the information when the role was installed so let's minimize that one minimize this as well so select management point right click go to properties so in properties we will head over to general so it's already there and we will select https so we don't have to do anything else so this is option when we configure cloud management gateway so we do not have cloud management gateway we don't have to change anything else here so we will click apply here and click ok and let's have a look at this log what is happening with it and also if we go back here in monitoring and you will look at system status and site status we should see that this will go red cross on management point okay so here we can see that it has started and this is today's date and if we go back in monitoring we can see that he's the red cross on management point and this will fix itself let's wait for it and we can keep monitoring this log this log will say that it is successfully installed while this is doing that so we can go back to our pc-01 i am going to restart it as well so this will be ready so minimize that so let's go back to our cm01 this can take a while and i will be back when this is ready okay so we can see that mpsetup.log this says installation was successful so it's it's good news and also inside status you can see that management point is back there so it is screen ticked as well and component status we shouldn't have any problems here as well so that's good and what we can do is also there's another log you can check out that is mp control so you can find information about ssl here as well so you can see that there's information about ssl in mpcontrol.log and apart from this you can see the list of available management points through internet explorer so by browsing however you will see that error because you need client certificate for that so this is the link this is the url you can hit so it is https your server name technex.cm01 in my case sms underscore mp and you will find this listed in the description below so you can just copy that and use it so if you refresh that it will say client certificate required however what you can do is you can go to tools here and then go to internet options and here we will go to content and certificate import and we will utilize the certificate that we have for our distribution point go to documents where i have saved the search i will go here all files select that and click next and provide the password so click next here and place all certificates in the following store personal and click next here and click finish and then click ok so this cert is available here so close that and click ok on that one and let's refresh this let's see what happens okay so we might have to restart ie so let's close that and open internet explorer again and we will paste it here and go ahead and you should see this list here you can go ahead and remove the search we edit it's just a lab we can leave it here but to remove it we go back to internet options and then content and certificates here you can remove that from here by clicking on remove and um yeah so let's just remove that close okay okay so this is done so let's go back to our client which is pc01 and let's see that if this is communicating over pki or not so we'll go back to minimize this one go back to pc01 which is here so if we double click on configuration manager shortcut i have this one here so these are the properties we can see that and here you can see that this is actually communicating over pki okay so one thing i would like to show you that if you're using operating system deployment and if you do not populate the trusted root search in your site properties you might see some errors let's have a look at that how to troubleshoot that so here i will minimize this one and if i go to hyper-v manager i have pc02 here so what i'm gonna do is i am going to actually pxe boost that one now go to settings boot from network adapter and i have actually deployed a task sequence to this one click apply okay double click on that let's start that one and so i will hit enter when it will prompt okay so it's booting on network now i will show you what will happen if you do not configure your site server properly for https okay so it's booting now i will provide the password click next okay so it is hanging here for retrieving the policy for this computer so what we will do uh so i have enabled command support i will do f8 and we type cm trace hit enter and open here this pc boot windows we go to temp and then sms ts log so this is sms ts log file double click on that and you can find some errors here so this will say that it is using ssl so in ssl but no client search so ssl using authenticator in request so you might see issues like this if you do not configure it properly so we can turn it off and what we will do we will go back to cm01 we will open search lm.msc so this is local computer certificates so we'll go to trusted root here and then open that and we will find here tech next dash ca01-ca so right click here all tasks export and we're going to export the root search click next here and next year browse and we will save it in the documents again and we will name it technics root search so click save and next and finish so click ok so that's done and we will go back here in configuration manager console so in configuration manager console we will go to administration site configuration then sites select your site right click go to properties and here what we have to do we have to update in communication security here we can see trusted root certification authorities set and here nothing is listed we will click here and then go to documents we can see that technex root cert is available double click on that this will be populated here click ok and hit apply and click ok so that's done all right so this is how you update and you tell configuration manager who is the root ca so we can test it again minimize this we'll go back here pc 0 2 double click and start it so it's starting and we will hit enter when it this will prompt so now if i click on next and i will see the task sequence which is available here and if i go back to configuration manager and in our logs so this is sms pxc.log file and you can see that prioritizing mp http this um this is the management point it's it was trying to connect earlier so it has given that error so it failed to connect however this time around we can see that this has actually connected successfully okay so this looks good so this is why i highly recommend that you go ahead and update your sites and you update your ca here within communication security so this is here so root ca specified so make sure you set that route ca all right so that's all for this video if you find this video informative give it a thumbs up and show your support subscribe to my channel and click on the bell icon as well to get all the latest updates and also if you have any questions leave it in the comments box below i'm more than happy to help you i will see you in the next video have a good one in the meantime you

Info

Channel: TekNex Solutions

Views: 6,515

Rating: undefined out of 5

Keywords: configmgr, mecm, sccm, system center configuration manager, microsoft endpoint configuration manager, https, memcm, teknex, sccm https step by step, sccm https, sccm https setup, configmgr https, adcs, ca, pki

Id: xbU4vxwGeDo

Channel Id: undefined

Length: 46min 29sec (2789 seconds)

Published: Wed Aug 26 2020